trunk: fail2ban update from dan.

2008-09-05 14:17:18 +00:00 · 2008-09-05 14:17:18 +00:00 · cdac989dee
commit cdac989dee
parent 96851b1d63
3 changed files with 33 additions and 5 deletions
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork, 1.2.17)
+policy_module(corenetwork, 1.2.18)

 ########################################
 #
@ -174,6 +174,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(wccp, udp,2048,s0)
+network_port(whois, tcp,43,s0, udp,43,s0)
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
--- a/policy/modules/services/fail2ban.fc
+++ b/policy/modules/services/fail2ban.fc
@ -1,3 +1,7 @@
+/etc/rc.d/init.d/fail2ban --	gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
+
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@ -1,5 +1,5 @@

-policy_module(fail2ban, 1.1.0)
+policy_module(fail2ban, 1.1.1)

 ########################################
 #
@ -18,6 +18,9 @@ logging_log_file(fail2ban_log_t)
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)

+type fail2ban_script_exec_t;
+init_script_file(fail2ban_script_exec_t)
+
 ########################################
 #
 # fail2ban local policy
@ -25,7 +28,8 @@ files_pid_file(fail2ban_var_run_t)

 allow fail2ban_t self:process signal;
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
-allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow fail2ban_t self:tcp_socket create_stream_socket_perms;

 # log files
 allow fail2ban_t fail2ban_log_t:dir setattr;
@ -33,28 +37,47 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)

 # pid file
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })

 kernel_read_system_state(fail2ban_t)

 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)

+corenet_all_recvfrom_unlabeled(fail2ban_t)
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_all_nodes(fail2ban_t)
+corenet_tcp_sendrecv_all_ports(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+
 dev_read_urand(fail2ban_t)

 domain_use_interactive_fds(fail2ban_t)

 files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
 files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)

 libs_use_ld_so(fail2ban_t)
 libs_use_shared_libs(fail2ban_t)

-logging_read_generic_logs(fail2ban_t)
+logging_read_all_logs(fail2ban_t)

 miscfiles_read_localization(fail2ban_t)

+mta_send_mail(fail2ban_t)
+
 optional_policy(`
 	apache_read_log(fail2ban_t)
 ')