selinux-policy/policy/modules/services/fail2ban.if

196 lines
4.1 KiB
Plaintext
Raw Normal View History

2007-03-21 15:51:52 +00:00
## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
########################################
## <summary>
## Execute a domain transition to run fail2ban.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`fail2ban_domtrans',`
gen_require(`
type fail2ban_t, fail2ban_exec_t;
')
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
2007-03-21 15:51:52 +00:00
')
2010-03-16 17:14:46 +00:00
#####################################
## <summary>
## Connect to fail2ban over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_stream_connect',`
gen_require(`
type fail2ban_t, fail2ban_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
')
########################################
## <summary>
## Read and write to an fail2ban unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
')
2009-06-12 19:44:10 +00:00
########################################
## <summary>
## Read fail2ban lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_read_lib_files',`
gen_require(`
type fail2ban_var_lib_t;
')
files_search_var_lib($1)
allow $1 fail2ban_var_lib_t:file read_file_perms;
')
2007-03-21 15:51:52 +00:00
########################################
## <summary>
## Allow the specified domain to read fail2ban's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fail2ban_read_log',`
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
2008-10-20 16:10:42 +00:00
allow $1 fail2ban_log_t:file read_file_perms;
2007-03-21 15:51:52 +00:00
')
########################################
## <summary>
## Allow the specified domain to append
## fail2ban log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
2007-03-21 15:51:52 +00:00
## </summary>
## </param>
#
interface(`fail2ban_append_log',`
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
')
########################################
## <summary>
## Read fail2ban PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_read_pid_files',`
gen_require(`
type fail2ban_var_run_t;
')
files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms;
')
2008-10-08 15:50:03 +00:00
2010-08-26 13:41:21 +00:00
########################################
## <summary>
## dontaudit read and write an leaked file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_dontaudit_leaks',`
gen_require(`
type fail2ban_t;
')
dontaudit $1 fail2ban_t:tcp_socket { read write };
dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
2008-10-08 15:50:03 +00:00
########################################
## <summary>
## All of the rules required to administrate
## an fail2ban environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the fail2ban domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`fail2ban_admin',`
gen_require(`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible.
2010-09-17 07:49:15 +00:00
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
type fail2ban_var_run_t;
2008-10-08 15:50:03 +00:00
')
allow $1 fail2ban_t:process { ptrace signal_perms };
ps_process_pattern($1, fail2ban_t)
2009-06-12 19:44:10 +00:00
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
2008-10-08 15:50:03 +00:00
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r;
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
')