2010-04-20 13:46:20 +00:00
|
|
|
## <summary>DenyHosts SSH dictionary attack mitigation</summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## DenyHosts is a script intended to be run by Linux
|
|
|
|
## system administrators to help thwart SSH server attacks
|
|
|
|
## (also known as dictionary based attacks and brute force
|
|
|
|
## attacks).
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute a domain transition to run denyhosts.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-17 09:46:20 +00:00
|
|
|
## <summary>
|
2010-04-20 13:46:20 +00:00
|
|
|
## Domain allowed to transition.
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-17 09:46:20 +00:00
|
|
|
## </summary>
|
2010-04-20 13:46:20 +00:00
|
|
|
## </param>
|
|
|
|
#
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-17 09:46:20 +00:00
|
|
|
interface(`denyhosts_domtrans',`
|
2010-04-20 13:46:20 +00:00
|
|
|
gen_require(`
|
|
|
|
type denyhosts_t, denyhosts_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute denyhost server in the denyhost domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
2010-08-05 13:03:19 +00:00
|
|
|
## Domain allowed to transition.
|
2010-04-20 13:46:20 +00:00
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-17 09:46:20 +00:00
|
|
|
interface(`denyhosts_initrc_domtrans',`
|
2010-04-20 13:46:20 +00:00
|
|
|
gen_require(`
|
|
|
|
type denyhosts_initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## All of the rules required to administrate
|
|
|
|
## an denyhosts environment.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## Role allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2010-09-17 07:45:02 +00:00
|
|
|
## <rolecap/>
|
2010-04-20 13:46:20 +00:00
|
|
|
#
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-17 09:46:20 +00:00
|
|
|
interface(`denyhosts_admin',`
|
2010-04-20 13:46:20 +00:00
|
|
|
gen_require(`
|
|
|
|
type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
|
|
|
|
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 denyhosts_t:process { ptrace signal_perms };
|
|
|
|
ps_process_pattern($1, denyhosts_t)
|
|
|
|
|
|
|
|
denyhosts_initrc_domtrans($1)
|
|
|
|
domain_system_change_exemption($1)
|
|
|
|
role_transition $2 denyhosts_initrc_exec_t system_r;
|
|
|
|
allow $2 system_r;
|
|
|
|
|
2010-09-20 13:36:05 +00:00
|
|
|
files_list_var_lib($1)
|
2010-04-20 13:46:20 +00:00
|
|
|
admin_pattern($1, denyhosts_var_lib_t)
|
|
|
|
|
2010-09-20 13:36:05 +00:00
|
|
|
logging_list_logs($1)
|
2010-04-20 13:46:20 +00:00
|
|
|
admin_pattern($1, denyhosts_var_log_t)
|
|
|
|
|
2010-09-20 13:36:05 +00:00
|
|
|
files_list_locks($1)
|
2010-04-20 13:46:20 +00:00
|
|
|
admin_pattern($1, denyhosts_var_lock_t)
|
|
|
|
')
|