1dfc76f76b
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
103 lines
2.6 KiB
Plaintext
103 lines
2.6 KiB
Plaintext
policy_module(fail2ban, 1.4.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type fail2ban_t;
|
|
type fail2ban_exec_t;
|
|
init_daemon_domain(fail2ban_t, fail2ban_exec_t)
|
|
|
|
type fail2ban_initrc_exec_t;
|
|
init_script_file(fail2ban_initrc_exec_t)
|
|
|
|
# log files
|
|
type fail2ban_log_t;
|
|
logging_log_file(fail2ban_log_t)
|
|
|
|
type fail2ban_var_lib_t;
|
|
files_type(fail2ban_var_lib_t)
|
|
|
|
# pid files
|
|
type fail2ban_var_run_t;
|
|
files_pid_file(fail2ban_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# fail2ban local policy
|
|
#
|
|
|
|
allow fail2ban_t self:capability { sys_tty_config };
|
|
allow fail2ban_t self:process signal;
|
|
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
|
|
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow fail2ban_t self:unix_dgram_socket create_socket_perms;
|
|
allow fail2ban_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
# log files
|
|
allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
|
|
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
|
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
|
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
|
|
|
|
# pid file
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
|
|
|
|
kernel_read_system_state(fail2ban_t)
|
|
|
|
corecmd_exec_bin(fail2ban_t)
|
|
corecmd_exec_shell(fail2ban_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(fail2ban_t)
|
|
corenet_all_recvfrom_netlabel(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_if(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_node(fail2ban_t)
|
|
corenet_tcp_sendrecv_all_ports(fail2ban_t)
|
|
corenet_tcp_connect_whois_port(fail2ban_t)
|
|
corenet_sendrecv_whois_client_packets(fail2ban_t)
|
|
|
|
dev_read_urand(fail2ban_t)
|
|
|
|
domain_use_interactive_fds(fail2ban_t)
|
|
|
|
files_read_etc_files(fail2ban_t)
|
|
files_read_etc_runtime_files(fail2ban_t)
|
|
files_read_usr_files(fail2ban_t)
|
|
files_list_var(fail2ban_t)
|
|
files_search_var_lib(fail2ban_t)
|
|
|
|
fs_list_inotifyfs(fail2ban_t)
|
|
fs_getattr_all_fs(fail2ban_t)
|
|
|
|
auth_use_nsswitch(fail2ban_t)
|
|
|
|
logging_read_all_logs(fail2ban_t)
|
|
logging_send_syslog_msg(fail2ban_t)
|
|
|
|
miscfiles_read_localization(fail2ban_t)
|
|
|
|
mta_send_mail(fail2ban_t)
|
|
|
|
optional_policy(`
|
|
apache_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_dontaudit_search_config(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(fail2ban_t)
|
|
')
|