3235a8bbe6
Disable transition from dbus_session_domain to telepathy for F14 Allow boinc_project to use shm Allow certmonger to search through directories that contain certs Allow fail2ban the DAC Override so it can read log files owned by non root users
103 lines
2.6 KiB
Plaintext
103 lines
2.6 KiB
Plaintext
policy_module(fail2ban, 1.4.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type fail2ban_t;
|
|
type fail2ban_exec_t;
|
|
init_daemon_domain(fail2ban_t, fail2ban_exec_t)
|
|
|
|
type fail2ban_initrc_exec_t;
|
|
init_script_file(fail2ban_initrc_exec_t)
|
|
|
|
# log files
|
|
type fail2ban_log_t;
|
|
logging_log_file(fail2ban_log_t)
|
|
|
|
type fail2ban_var_lib_t;
|
|
files_type(fail2ban_var_lib_t)
|
|
|
|
# pid files
|
|
type fail2ban_var_run_t;
|
|
files_pid_file(fail2ban_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# fail2ban local policy
|
|
#
|
|
|
|
allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
|
|
allow fail2ban_t self:process signal;
|
|
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
|
|
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow fail2ban_t self:unix_dgram_socket create_socket_perms;
|
|
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
# log files
|
|
allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
|
|
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
|
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
|
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
|
|
|
|
# pid file
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
|
|
|
|
kernel_read_system_state(fail2ban_t)
|
|
|
|
corecmd_exec_bin(fail2ban_t)
|
|
corecmd_exec_shell(fail2ban_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(fail2ban_t)
|
|
corenet_all_recvfrom_netlabel(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_if(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_node(fail2ban_t)
|
|
corenet_tcp_sendrecv_all_ports(fail2ban_t)
|
|
corenet_tcp_connect_whois_port(fail2ban_t)
|
|
corenet_sendrecv_whois_client_packets(fail2ban_t)
|
|
|
|
dev_read_urand(fail2ban_t)
|
|
|
|
domain_use_interactive_fds(fail2ban_t)
|
|
|
|
files_read_etc_files(fail2ban_t)
|
|
files_read_etc_runtime_files(fail2ban_t)
|
|
files_read_usr_files(fail2ban_t)
|
|
files_list_var(fail2ban_t)
|
|
files_search_var_lib(fail2ban_t)
|
|
|
|
fs_list_inotifyfs(fail2ban_t)
|
|
fs_getattr_all_fs(fail2ban_t)
|
|
|
|
auth_use_nsswitch(fail2ban_t)
|
|
|
|
logging_read_all_logs(fail2ban_t)
|
|
logging_send_syslog_msg(fail2ban_t)
|
|
|
|
miscfiles_read_localization(fail2ban_t)
|
|
|
|
mta_send_mail(fail2ban_t)
|
|
|
|
optional_policy(`
|
|
apache_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_dontaudit_search_config(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(fail2ban_t)
|
|
')
|