Tree - rpms/selinux-policy - src.fedoraproject.org

psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago

Blame fail2ban.if

Blob History Raw

	1ec3d1a	`## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Execute a domain transition to run fail2ban.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
Chris PeBenito	9401ae1	`## <summary>`
Chris PeBenito	9401ae1	`## Domain allowed to transition.`
Chris PeBenito	9401ae1	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_domtrans',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_t, fail2ban_exec_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`#####################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Connect to fail2ban over a unix domain`
	1ec3d1a	`## stream socket.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_stream_connect',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_t, fail2ban_var_run_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`files_search_pids($1)`
	1ec3d1a	`stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Read and write inherited temporary files.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_rw_inherited_tmp_files',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_tmp_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`files_search_tmp($1)`
	1ec3d1a	`allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Read and write to an fail2ba unix stream socket.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_rw_stream_sockets',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Read fail2ban lib files.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_read_lib_files',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_var_lib_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`files_search_var_lib($1)`
	1ec3d1a	`read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Allow the specified domain to read fail2ban's log files.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`## <rolecap/>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_read_log',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_log_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`logging_search_logs($1)`
	1ec3d1a	`allow $1 fail2ban_log_t:dir list_dir_perms;`
	1ec3d1a	`allow $1 fail2ban_log_t:file read_file_perms;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Allow the specified domain to append`
	1ec3d1a	`## fail2ban log files.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
Chris PeBenito	9401ae1	`## <summary>`
Chris PeBenito	9401ae1	`## Domain allowed access.`
Chris PeBenito	9401ae1	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_append_log',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_log_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`logging_search_logs($1)`
	1ec3d1a	`allow $1 fail2ban_log_t:dir list_dir_perms;`
	1ec3d1a	`allow $1 fail2ban_log_t:file append_file_perms;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Read fail2ban PID files.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_read_pid_files',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_var_run_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`files_search_pids($1)`
	1ec3d1a	`allow $1 fail2ban_var_run_t:file read_file_perms;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## dontaudit read and write an leaked file descriptors`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain to not audit.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_dontaudit_leaks',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`dontaudit $1 fail2ban_t:tcp_socket { read write };`
	1ec3d1a	`dontaudit $1 fail2ban_t:unix_dgram_socket { read write };`
	1ec3d1a	`dontaudit $1 fail2ban_t:unix_stream_socket { read write };`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`########################################`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## All of the rules required to administrate`
	1ec3d1a	`## an fail2ban environment`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## <param name="domain">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## Domain allowed access.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`## <param name="role">`
	1ec3d1a	`## <summary>`
	1ec3d1a	`## The role to be allowed to manage the fail2ban domain.`
	1ec3d1a	`## </summary>`
	1ec3d1a	`## </param>`
	1ec3d1a	`## <rolecap/>`
	1ec3d1a	`#`
	1ec3d1a	interface(`fail2ban_admin',`
	1ec3d1a	gen_require(`
	1ec3d1a	`type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;`
	1ec3d1a	`type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;`
	1ec3d1a	`type fail2ban_client_t;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;`
	1ec3d1a	`ps_process_pattern($1, { fail2ban_t fail2ban_client_t })`
	1ec3d1a	tunable_policy(`deny_ptrace',`',`
	1ec3d1a	`allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;`
	1ec3d1a	`')`
	1ec3d1a
	1ec3d1a	`init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)`
	1ec3d1a	`domain_system_change_exemption($1)`
	1ec3d1a	`role_transition $2 fail2ban_initrc_exec_t system_r;`
	1ec3d1a	`allow $2 system_r;`
	1ec3d1a
	1ec3d1a	`logging_list_logs($1)`
	1ec3d1a	`admin_pattern($1, fail2ban_log_t)`
	1ec3d1a
	1ec3d1a	`files_list_pids($1)`
	1ec3d1a	`admin_pattern($1, fail2ban_var_run_t)`
	1ec3d1a
	1ec3d1a	`files_list_var_lib($1)`
	1ec3d1a	`admin_pattern($1, fail2ban_var_lib_t)`
	1ec3d1a
	1ec3d1a	`files_list_tmp($1)`
	1ec3d1a	`admin_pattern($1, fail2ban_tmp_t)`
	1ec3d1a	`')`

psss / rpms / selinux-policy

Source Code

Blame fail2ban.if