From cd3ee91a4b6024ecca2c0000ef7294d0795eff5e Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 21 Mar 2007 15:51:52 +0000
Subject: [PATCH] add fail2ban from dan

---
 Changelog                           |  1 +
 policy/modules/services/fail2ban.fc |  3 ++
 policy/modules/services/fail2ban.if | 80 +++++++++++++++++++++++++++++
 policy/modules/services/fail2ban.te | 74 ++++++++++++++++++++++++++
 4 files changed, 158 insertions(+)
 create mode 100644 policy/modules/services/fail2ban.fc
 create mode 100644 policy/modules/services/fail2ban.if
 create mode 100644 policy/modules/services/fail2ban.te

diff --git a/Changelog b/Changelog
index d2b14e64..d63829de 100644
--- a/Changelog
+++ b/Changelog
@@ -37,6 +37,7 @@
 	Thu, 25 Jan 2007
 - Added modules:
 	consolekit (Dan Walsh)
+	fail2ban (Dan Walsh)
 
 * Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
 - Add policy patterns support macros.  This changes the behavior of
diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc
new file mode 100644
index 00000000..08be019d
--- /dev/null
+++ b/policy/modules/services/fail2ban.fc
@@ -0,0 +1,3 @@
+/usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/log/fail2ban.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
new file mode 100644
index 00000000..01dab0d8
--- /dev/null
+++ b/policy/modules/services/fail2ban.if
@@ -0,0 +1,80 @@
+## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+	gen_require(`
+		type fail2ban_t, fail2ban_exec_t;
+	')
+
+	domtrans_pattern($1,fail2ban_exec_t,fail2ban_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	fail2ban log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+	gen_require(`
+		type fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 fail2ban_var_run_t:file read_file_perms;
+')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
new file mode 100644
index 00000000..1a455372
--- /dev/null
+++ b/policy/modules/services/fail2ban.te
@@ -0,0 +1,74 @@
+
+policy_module(fail2ban,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+# log files
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+# pid files
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+########################################
+#
+# fail2ban local policy
+#
+
+allow fail2ban_t self:process signal;
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
+
+# log files
+allow fail2ban_t fail2ban_log_t:dir setattr;
+manage_files_pattern(fail2ban_t,fail2ban_log_t,fail2ban_log_t)
+logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
+
+# pid file
+manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
+
+kernel_read_system_state(fail2ban_t)
+
+corecmd_search_sbin(fail2ban_t)
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+
+files_read_etc_files(fail2ban_t)
+files_read_usr_files(fail2ban_t)
+
+libs_use_ld_so(fail2ban_t)
+libs_use_shared_libs(fail2ban_t)
+
+logging_read_generic_logs(fail2ban_t)
+
+miscfiles_read_localization(fail2ban_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(fail2ban_t)
+	term_dontaudit_use_generic_ptys(fail2ban_t)
+')
+
+optional_policy(`
+	apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	iptables_domtrans(fail2ban_t)
+')