You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
208 lines
5.5 KiB
208 lines
5.5 KiB
policy_module(fail2ban, 1.5.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute_role fail2ban_client_roles;
|
|
|
|
type fail2ban_t;
|
|
type fail2ban_exec_t;
|
|
init_daemon_domain(fail2ban_t, fail2ban_exec_t)
|
|
|
|
type fail2ban_initrc_exec_t;
|
|
init_script_file(fail2ban_initrc_exec_t)
|
|
|
|
type fail2ban_log_t;
|
|
logging_log_file(fail2ban_log_t)
|
|
|
|
type fail2ban_var_lib_t;
|
|
files_type(fail2ban_var_lib_t)
|
|
|
|
type fail2ban_var_run_t;
|
|
files_pid_file(fail2ban_var_run_t)
|
|
|
|
type fail2ban_tmp_t;
|
|
files_tmp_file(fail2ban_tmp_t)
|
|
|
|
type fail2ban_client_t;
|
|
type fail2ban_client_exec_t;
|
|
init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
|
|
role fail2ban_client_roles types fail2ban_client_t;
|
|
|
|
########################################
|
|
#
|
|
# Server Local policy
|
|
#
|
|
|
|
allow fail2ban_t self:capability { dac_read_search sys_tty_config };
|
|
allow fail2ban_t self:process { getpgid setsched signal };
|
|
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
|
|
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
|
|
allow fail2ban_t self:tcp_socket { accept listen };
|
|
allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
|
|
|
|
read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
|
|
|
|
append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
|
create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
|
setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
|
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
|
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
|
|
exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
|
|
files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
|
|
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
|
|
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
|
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
|
|
|
|
kernel_read_system_state(fail2ban_t)
|
|
kernel_read_network_state(fail2ban_t)
|
|
kernel_read_net_sysctls(fail2ban_t)
|
|
|
|
corecmd_exec_bin(fail2ban_t)
|
|
corecmd_exec_shell(fail2ban_t)
|
|
|
|
corenet_all_recvfrom_netlabel(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_if(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_node(fail2ban_t)
|
|
|
|
corenet_sendrecv_whois_client_packets(fail2ban_t)
|
|
corenet_tcp_connect_whois_port(fail2ban_t)
|
|
corenet_tcp_sendrecv_whois_port(fail2ban_t)
|
|
|
|
dev_read_urand(fail2ban_t)
|
|
dev_read_sysfs(fail2ban_t)
|
|
|
|
domain_use_interactive_fds(fail2ban_t)
|
|
domain_dontaudit_read_all_domains_state(fail2ban_t)
|
|
|
|
files_read_etc_runtime_files(fail2ban_t)
|
|
files_list_var(fail2ban_t)
|
|
files_dontaudit_list_tmp(fail2ban_t)
|
|
|
|
fs_getattr_all_fs(fail2ban_t)
|
|
|
|
auth_use_nsswitch(fail2ban_t)
|
|
|
|
logging_read_all_logs(fail2ban_t)
|
|
logging_read_audit_log(fail2ban_t)
|
|
logging_send_syslog_msg(fail2ban_t)
|
|
logging_read_syslog_pid(fail2ban_t)
|
|
logging_dontaudit_search_audit_logs(fail2ban_t)
|
|
logging_mmap_generic_logs(fail2ban_t)
|
|
logging_mmap_journal(fail2ban_t)
|
|
allow fail2ban_t fail2ban_log_t:file watch;
|
|
gen_require(`
|
|
attribute logfile;
|
|
')
|
|
allow fail2ban_t logfile:dir { watch_dir_perms };
|
|
allow fail2ban_t logfile:file { watch_file_perms };
|
|
# Not in EL9 yet
|
|
#logging_watch_audit_log_files(fail2ban_t)
|
|
gen_require(`
|
|
type var_log_t, auditd_log_t;
|
|
')
|
|
watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
|
|
#logging_watch_audit_log_dirs(fail2ban_t)
|
|
allow fail2ban_t var_log_t:dir search_dir_perms;
|
|
watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
|
|
logging_watch_generic_log_dirs(fail2ban_t)
|
|
logging_watch_journal_dir(fail2ban_t)
|
|
|
|
mta_send_mail(fail2ban_t)
|
|
|
|
sysnet_manage_config(fail2ban_t)
|
|
|
|
optional_policy(`
|
|
apache_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(fail2ban_t)
|
|
dbus_connect_system_bus(fail2ban_t)
|
|
|
|
optional_policy(`
|
|
firewalld_dbus_chat(fail2ban_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_dontaudit_search_config(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
allow fail2ban_t self:capability sys_resource;
|
|
allow fail2ban_t self:process setrlimit;
|
|
journalctl_exec(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
libs_exec_ldconfig(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_exec(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
shorewall_domtrans(fail2ban_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Client Local policy
|
|
#
|
|
|
|
allow fail2ban_client_t self:capability { dac_read_search };
|
|
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
|
|
|
|
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
|
|
|
|
allow fail2ban_client_t fail2ban_t:process { rlimitinh };
|
|
|
|
dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
|
|
allow fail2ban_client_t fail2ban_var_run_t:dir write;
|
|
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
|
|
|
|
kernel_read_system_state(fail2ban_client_t)
|
|
|
|
corecmd_exec_bin(fail2ban_client_t)
|
|
|
|
dev_read_urand(fail2ban_client_t)
|
|
dev_read_rand(fail2ban_client_t)
|
|
|
|
domain_use_interactive_fds(fail2ban_client_t)
|
|
|
|
files_search_pids(fail2ban_client_t)
|
|
|
|
auth_use_nsswitch(fail2ban_client_t)
|
|
|
|
libs_exec_ldconfig(fail2ban_client_t)
|
|
|
|
logging_getattr_all_logs(fail2ban_client_t)
|
|
logging_search_all_logs(fail2ban_client_t)
|
|
logging_read_audit_log(fail2ban_client_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
|
|
userdom_use_user_terminals(fail2ban_client_t)
|
|
|
|
optional_policy(`
|
|
apache_read_log(fail2ban_client_t)
|
|
')
|