policy_module(fail2ban, 1.5.0) ######################################## # # Declarations # attribute_role fail2ban_client_roles; type fail2ban_t; type fail2ban_exec_t; init_daemon_domain(fail2ban_t, fail2ban_exec_t) type fail2ban_initrc_exec_t; init_script_file(fail2ban_initrc_exec_t) type fail2ban_log_t; logging_log_file(fail2ban_log_t) type fail2ban_var_lib_t; files_type(fail2ban_var_lib_t) type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) type fail2ban_tmp_t; files_tmp_file(fail2ban_tmp_t) type fail2ban_client_t; type fail2ban_client_exec_t; init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) role fail2ban_client_roles types fail2ban_client_t; ######################################## # # Server Local policy # allow fail2ban_t self:capability { dac_read_search sys_tty_config }; allow fail2ban_t self:process { getpgid setsched signal }; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; allow fail2ban_t self:tcp_socket { accept listen }; allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) kernel_read_system_state(fail2ban_t) kernel_read_network_state(fail2ban_t) kernel_read_net_sysctls(fail2ban_t) corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) corenet_all_recvfrom_netlabel(fail2ban_t) corenet_tcp_sendrecv_generic_if(fail2ban_t) corenet_tcp_sendrecv_generic_node(fail2ban_t) corenet_sendrecv_whois_client_packets(fail2ban_t) corenet_tcp_connect_whois_port(fail2ban_t) corenet_tcp_sendrecv_whois_port(fail2ban_t) dev_read_urand(fail2ban_t) dev_read_sysfs(fail2ban_t) domain_use_interactive_fds(fail2ban_t) domain_dontaudit_read_all_domains_state(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) fs_getattr_all_fs(fail2ban_t) auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) logging_read_audit_log(fail2ban_t) logging_send_syslog_msg(fail2ban_t) logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) allow fail2ban_t fail2ban_log_t:file watch; gen_require(` attribute logfile; ') allow fail2ban_t logfile:dir { watch_dir_perms }; allow fail2ban_t logfile:file { watch_file_perms }; # Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) gen_require(` type var_log_t, auditd_log_t; ') watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t) #logging_watch_audit_log_dirs(fail2ban_t) allow fail2ban_t var_log_t:dir search_dir_perms; watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t) logging_watch_generic_log_dirs(fail2ban_t) logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) sysnet_manage_config(fail2ban_t) optional_policy(` apache_read_log(fail2ban_t) ') optional_policy(` dbus_system_bus_client(fail2ban_t) dbus_connect_system_bus(fail2ban_t) optional_policy(` firewalld_dbus_chat(fail2ban_t) ') ') optional_policy(` ftp_read_log(fail2ban_t) ') optional_policy(` gnome_dontaudit_search_config(fail2ban_t) ') optional_policy(` iptables_domtrans(fail2ban_t) ') optional_policy(` allow fail2ban_t self:capability sys_resource; allow fail2ban_t self:process setrlimit; journalctl_exec(fail2ban_t) ') optional_policy(` libs_exec_ldconfig(fail2ban_t) ') optional_policy(` rpm_exec(fail2ban_t) ') optional_policy(` shorewall_domtrans(fail2ban_t) ') ######################################## # # Client Local policy # allow fail2ban_client_t self:capability { dac_read_search }; allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) allow fail2ban_client_t fail2ban_t:process { rlimitinh }; dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; allow fail2ban_client_t fail2ban_var_run_t:dir write; stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) kernel_read_system_state(fail2ban_client_t) corecmd_exec_bin(fail2ban_client_t) dev_read_urand(fail2ban_client_t) dev_read_rand(fail2ban_client_t) domain_use_interactive_fds(fail2ban_client_t) files_search_pids(fail2ban_client_t) auth_use_nsswitch(fail2ban_client_t) libs_exec_ldconfig(fail2ban_client_t) logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) logging_read_audit_log(fail2ban_client_t) userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) optional_policy(` apache_read_log(fail2ban_client_t) ')