- Allow fail2ban to create a socket in /var/run
This commit is contained in:
parent
59d6fbb642
commit
e1060e24d5
@ -970,7 +970,7 @@ pyzor = module
|
|||||||
#
|
#
|
||||||
# Policy for qmail
|
# Policy for qmail
|
||||||
#
|
#
|
||||||
qmail = base
|
qmail = module
|
||||||
|
|
||||||
# Layer: admin
|
# Layer: admin
|
||||||
# Module: quota
|
# Module: quota
|
||||||
|
@ -1495,7 +1495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
|
|||||||
#######################################
|
#######################################
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te
|
||||||
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
|
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te 2008-01-21 13:29:12.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te 2008-02-01 08:20:58.000000000 -0500
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
files_purge_tmp(tmpreaper_t)
|
files_purge_tmp(tmpreaper_t)
|
||||||
# why does it need setattr?
|
# why does it need setattr?
|
||||||
@ -1504,10 +1504,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
|
|||||||
|
|
||||||
mls_file_read_all_levels(tmpreaper_t)
|
mls_file_read_all_levels(tmpreaper_t)
|
||||||
mls_file_write_all_levels(tmpreaper_t)
|
mls_file_write_all_levels(tmpreaper_t)
|
||||||
@@ -43,5 +44,14 @@
|
@@ -42,6 +43,19 @@
|
||||||
|
|
||||||
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
|
cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
|
||||||
|
|
||||||
optional_policy(`
|
+userdom_delete_all_users_home_content_dirs(tmpreaper_t)
|
||||||
|
+userdom_delete_all_users_home_content_files(tmpreaper_t)
|
||||||
|
+userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ amavis_manage_spool_files(tmpreaper_t)
|
+ amavis_manage_spool_files(tmpreaper_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -1515,7 +1520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
|
|||||||
+ kismet_manage_log(tmpreaper_t)
|
+ kismet_manage_log(tmpreaper_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
optional_policy(`
|
||||||
lpd_manage_spool(tmpreaper_t)
|
lpd_manage_spool(tmpreaper_t)
|
||||||
')
|
')
|
||||||
+
|
+
|
||||||
@ -10971,12 +10976,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-01-18 12:40:46.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-02-01 07:42:38.000000000 -0500
|
||||||
@@ -1,3 +1,6 @@
|
@@ -1,3 +1,7 @@
|
||||||
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||||
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||||
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
|
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
|
||||||
/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||||
|
+/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||||
+/etc/rc.d/init.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
|
+/etc/rc.d/init.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.2.5/policy/modules/services/fail2ban.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.2.5/policy/modules/services/fail2ban.if
|
||||||
@ -11053,7 +11059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.5/policy/modules/services/fail2ban.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.5/policy/modules/services/fail2ban.te
|
||||||
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te 2008-01-21 13:50:35.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te 2008-02-01 07:40:59.000000000 -0500
|
||||||
@@ -18,6 +18,9 @@
|
@@ -18,6 +18,9 @@
|
||||||
type fail2ban_var_run_t;
|
type fail2ban_var_run_t;
|
||||||
files_pid_file(fail2ban_var_run_t)
|
files_pid_file(fail2ban_var_run_t)
|
||||||
@ -11064,7 +11070,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# fail2ban local policy
|
# fail2ban local policy
|
||||||
@@ -55,6 +58,8 @@
|
@@ -33,8 +36,9 @@
|
||||||
|
logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
|
||||||
|
|
||||||
|
# pid file
|
||||||
|
+manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
|
||||||
|
manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
|
||||||
|
-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
|
||||||
|
+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file })
|
||||||
|
|
||||||
|
kernel_read_system_state(fail2ban_t)
|
||||||
|
|
||||||
|
@@ -55,6 +59,8 @@
|
||||||
|
|
||||||
miscfiles_read_localization(fail2ban_t)
|
miscfiles_read_localization(fail2ban_t)
|
||||||
|
|
||||||
@ -17973,7 +17990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
|
|||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.2.5/policy/modules/services/smartmon.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.2.5/policy/modules/services/smartmon.te
|
||||||
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/smartmon.te 2008-01-18 12:40:46.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/smartmon.te 2008-02-01 08:41:51.000000000 -0500
|
||||||
@@ -16,6 +16,9 @@
|
@@ -16,6 +16,9 @@
|
||||||
type fsdaemon_tmp_t;
|
type fsdaemon_tmp_t;
|
||||||
files_tmp_file(fsdaemon_tmp_t)
|
files_tmp_file(fsdaemon_tmp_t)
|
||||||
@ -17984,6 +18001,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
|
@@ -49,6 +52,7 @@
|
||||||
|
corenet_udp_sendrecv_all_ports(fsdaemon_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(fsdaemon_t)
|
||||||
|
+dev_read_urand(fsdaemon_t)
|
||||||
|
|
||||||
|
domain_use_interactive_fds(fsdaemon_t)
|
||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.2.5/policy/modules/services/snmp.fc
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.2.5/policy/modules/services/snmp.fc
|
||||||
--- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/services/snmp.fc 2008-01-18 12:40:46.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/services/snmp.fc 2008-01-18 12:40:46.000000000 -0500
|
||||||
@ -21638,7 +21663,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
|
|||||||
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.5/policy/modules/system/fstools.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.5/policy/modules/system/fstools.if
|
||||||
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/fstools.if 2008-01-18 12:40:46.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/fstools.if 2008-02-01 08:40:37.000000000 -0500
|
||||||
|
@@ -81,10 +81,10 @@
|
||||||
|
#
|
||||||
|
interface(`fstools_read_pipes',`
|
||||||
|
gen_require(`
|
||||||
|
- type fsdaemon_t;
|
||||||
|
+ type fstools_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
- allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
|
||||||
|
+ allow $1 fstools_t:fifo_file read_fifo_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
@@ -142,3 +142,20 @@
|
@@ -142,3 +142,20 @@
|
||||||
|
|
||||||
allow $1 swapfile_t:file getattr;
|
allow $1 swapfile_t:file getattr;
|
||||||
@ -23561,7 +23599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
|||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te 2008-01-29 15:11:06.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te 2008-01-31 15:54:53.000000000 -0500
|
||||||
@@ -75,7 +75,6 @@
|
@@ -75,7 +75,6 @@
|
||||||
type restorecond_exec_t;
|
type restorecond_exec_t;
|
||||||
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
||||||
@ -24658,7 +24696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
|
||||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||||
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-31 08:42:16.000000000 -0500
|
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-02-01 08:23:22.000000000 -0500
|
||||||
@@ -29,9 +29,14 @@
|
@@ -29,9 +29,14 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -26692,7 +26730,87 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -5109,7 +5265,7 @@
|
@@ -4833,6 +4989,26 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## delete all directories
|
||||||
|
+## in all users home directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_delete_all_users_home_content_dirs',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute home_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_list_home($1)
|
||||||
|
+ delete_dirs_pattern($1, home_type, home_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Create, read, write, and delete all directories
|
||||||
|
## in all users home directories.
|
||||||
|
## </summary>
|
||||||
|
@@ -4853,6 +5029,25 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Delete all files
|
||||||
|
+## in all users home directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_delete_all_users_home_content_files',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute home_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ delete_files_pattern($1,home_type,home_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Create, read, write, and delete all files
|
||||||
|
## in all users home directories.
|
||||||
|
## </summary>
|
||||||
|
@@ -4873,6 +5068,26 @@
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
+## Delete all symlinks
|
||||||
|
+## in all users home directories.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`userdom_delete_all_users_home_content_symlinks',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute home_type;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ files_list_home($1)
|
||||||
|
+ delete_lnk_files_pattern($1,home_type,home_type)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
## Create, read, write, and delete all symlinks
|
||||||
|
## in all users home directories.
|
||||||
|
## </summary>
|
||||||
|
@@ -5109,7 +5324,7 @@
|
||||||
#
|
#
|
||||||
interface(`userdom_relabelto_generic_user_home_dirs',`
|
interface(`userdom_relabelto_generic_user_home_dirs',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -26701,7 +26819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_search_home($1)
|
files_search_home($1)
|
||||||
@@ -5298,6 +5454,49 @@
|
@@ -5298,6 +5513,49 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26751,7 +26869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Create, read, write, and delete directories in
|
## Create, read, write, and delete directories in
|
||||||
## unprivileged users home directories.
|
## unprivileged users home directories.
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -5503,6 +5702,42 @@
|
@@ -5503,6 +5761,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26794,7 +26912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Read and write unprivileged user ttys.
|
## Read and write unprivileged user ttys.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5668,6 +5903,42 @@
|
@@ -5668,6 +5962,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -26837,7 +26955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
|||||||
## Send a dbus message to all user domains.
|
## Send a dbus message to all user domains.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -5698,3 +5969,277 @@
|
@@ -5698,3 +6028,277 @@
|
||||||
interface(`userdom_unconfined',`
|
interface(`userdom_unconfined',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.2.5
|
Version: 3.2.5
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -387,6 +387,9 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-25
|
||||||
|
- Allow fail2ban to create a socket in /var/run
|
||||||
|
|
||||||
* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-24
|
* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-24
|
||||||
- Allow allow_httpd_mod_auth_pam to work
|
- Allow allow_httpd_mod_auth_pam to work
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user