diff --git a/Changelog b/Changelog index d2b14e6..d63829d 100644 --- a/Changelog +++ b/Changelog @@ -37,6 +37,7 @@ Thu, 25 Jan 2007 - Added modules: consolekit (Dan Walsh) + fail2ban (Dan Walsh) * Tue Dec 12 2006 Chris PeBenito - 20061212 - Add policy patterns support macros. This changes the behavior of diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc new file mode 100644 index 0000000..08be019 --- /dev/null +++ b/policy/modules/services/fail2ban.fc @@ -0,0 +1,3 @@ +/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) +/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if new file mode 100644 index 0000000..01dab0d --- /dev/null +++ b/policy/modules/services/fail2ban.if @@ -0,0 +1,80 @@ +## Update firewall filtering to ban IP addresses with too many password failures. + +######################################## +## +## Execute a domain transition to run fail2ban. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_domtrans',` + gen_require(` + type fail2ban_t, fail2ban_exec_t; + ') + + domtrans_pattern($1,fail2ban_exec_t,fail2ban_t) +') + +######################################## +## +## Allow the specified domain to read fail2ban's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fail2ban_read_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file { read getattr lock }; +') + +######################################## +## +## Allow the specified domain to append +## fail2ban log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_append_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file append_file_perms; +') + +######################################## +## +## Read fail2ban PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_read_pid_files',` + gen_require(` + type fail2ban_var_run_t; + ') + + files_search_pids($1) + allow $1 fail2ban_var_run_t:file read_file_perms; +') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te new file mode 100644 index 0000000..1a45537 --- /dev/null +++ b/policy/modules/services/fail2ban.te @@ -0,0 +1,74 @@ + +policy_module(fail2ban,1.0.0) + +######################################## +# +# Declarations +# + +type fail2ban_t; +type fail2ban_exec_t; +init_daemon_domain(fail2ban_t, fail2ban_exec_t) + +# log files +type fail2ban_log_t; +logging_log_file(fail2ban_log_t) + +# pid files +type fail2ban_var_run_t; +files_pid_file(fail2ban_var_run_t) + +######################################## +# +# fail2ban local policy +# + +allow fail2ban_t self:process signal; +allow fail2ban_t self:fifo_file rw_fifo_file_perms; +allow fail2ban_t self:unix_stream_socket create_stream_socket_perms; + +# log files +allow fail2ban_t fail2ban_log_t:dir setattr; +manage_files_pattern(fail2ban_t,fail2ban_log_t,fail2ban_log_t) +logging_log_filetrans(fail2ban_t,fail2ban_log_t,file) + +# pid file +manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) +files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file) + +kernel_read_system_state(fail2ban_t) + +corecmd_search_sbin(fail2ban_t) +corecmd_exec_bin(fail2ban_t) +corecmd_exec_shell(fail2ban_t) + +dev_read_urand(fail2ban_t) + +domain_use_interactive_fds(fail2ban_t) + +files_read_etc_files(fail2ban_t) +files_read_usr_files(fail2ban_t) + +libs_use_ld_so(fail2ban_t) +libs_use_shared_libs(fail2ban_t) + +logging_read_generic_logs(fail2ban_t) + +miscfiles_read_localization(fail2ban_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(fail2ban_t) + term_dontaudit_use_generic_ptys(fail2ban_t) +') + +optional_policy(` + apache_read_log(fail2ban_t) +') + +optional_policy(` + ftp_read_log(fail2ban_t) +') + +optional_policy(` + iptables_domtrans(fail2ban_t) +')