Hoshpak
/
debian-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
							policy_module(fail2ban, 1.5.7)

########################################
#
# Declarations
#

attribute_role fail2ban_client_roles;

type fail2ban_t;
type fail2ban_exec_t;
init_daemon_domain(fail2ban_t, fail2ban_exec_t)

type fail2ban_initrc_exec_t;
init_script_file(fail2ban_initrc_exec_t)

type fail2ban_log_t;
logging_log_file(fail2ban_log_t)

type fail2ban_var_lib_t;
files_type(fail2ban_var_lib_t)

type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)

type fail2ban_tmp_t;
files_tmp_file(fail2ban_tmp_t)

type fail2ban_client_t;
type fail2ban_client_exec_t;
init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
role fail2ban_client_roles types fail2ban_client_t;

########################################
#
# Server Local policy
#

allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };

read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)

append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)

manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })

manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)

manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })

kernel_read_system_state(fail2ban_t)

corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)

corenet_all_recvfrom_unlabeled(fail2ban_t)
corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)

corenet_sendrecv_whois_client_packets(fail2ban_t)
corenet_tcp_connect_whois_port(fail2ban_t)
corenet_tcp_sendrecv_whois_port(fail2ban_t)

dev_read_urand(fail2ban_t)

domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)

files_read_etc_runtime_files(fail2ban_t)
files_read_usr_files(fail2ban_t)
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)

fs_list_inotifyfs(fail2ban_t)
fs_getattr_all_fs(fail2ban_t)

auth_use_nsswitch(fail2ban_t)

logging_read_all_logs(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)

miscfiles_read_localization(fail2ban_t)

sysnet_manage_config(fail2ban_t)
sysnet_etc_filetrans_config(fail2ban_t)

mta_send_mail(fail2ban_t)

optional_policy(`
	apache_read_log(fail2ban_t)
')

optional_policy(`
	ftp_read_log(fail2ban_t)
')

optional_policy(`
	iptables_domtrans(fail2ban_t)
')

optional_policy(`
	libs_exec_ldconfig(fail2ban_t)
')

optional_policy(`
	shorewall_domtrans(fail2ban_t)
')

########################################
#
# Client Local policy
#

allow fail2ban_client_t self:capability dac_read_search;
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
allow fail2ban_client_t self:capability sys_tty_config;

domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)

stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)

manage_dirs_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_client_t, fail2ban_var_run_t, { file sock_file })

kernel_read_system_state(fail2ban_client_t)

corecmd_exec_bin(fail2ban_client_t)

domain_use_interactive_fds(fail2ban_client_t)

files_read_etc_files(fail2ban_client_t)
files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)

logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)

miscfiles_read_localization(fail2ban_client_t)

userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)

term_write_console(fail2ban_client_t)
term_read_console(fail2ban_client_t)