diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index d686641..58d4da0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.2.17) +policy_module(corenetwork, 1.2.18) ######################################## # @@ -174,6 +174,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) network_port(wccp, udp,2048,s0) +network_port(whois, tcp,43,s0, udp,43,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc index a7ee95e..7b90566 100644 --- a/policy/modules/services/fail2ban.fc +++ b/policy/modules/services/fail2ban.fc @@ -1,3 +1,7 @@ +/etc/rc.d/init.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0) + /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index 2f3e8c4..e4763b5 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -1,5 +1,5 @@ -policy_module(fail2ban, 1.1.0) +policy_module(fail2ban, 1.1.1) ######################################## # @@ -18,6 +18,9 @@ logging_log_file(fail2ban_log_t) type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) +type fail2ban_script_exec_t; +init_script_file(fail2ban_script_exec_t) + ######################################## # # fail2ban local policy @@ -25,7 +28,8 @@ files_pid_file(fail2ban_var_run_t) allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; -allow fail2ban_t self:unix_stream_socket create_stream_socket_perms; +allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files allow fail2ban_t fail2ban_log_t:dir setattr; @@ -33,28 +37,47 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) # pid file +manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file }) kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) +corenet_all_recvfrom_unlabeled(fail2ban_t) +corenet_all_recvfrom_netlabel(fail2ban_t) +corenet_tcp_sendrecv_generic_if(fail2ban_t) +corenet_tcp_sendrecv_all_nodes(fail2ban_t) +corenet_tcp_sendrecv_all_ports(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) +corenet_sendrecv_whois_client_packets(fail2ban_t) + dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) files_read_etc_files(fail2ban_t) +files_read_etc_runtime_files(fail2ban_t) files_read_usr_files(fail2ban_t) +files_list_var(fail2ban_t) +files_search_var_lib(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) +fs_getattr_all_fs(fail2ban_t) + +auth_use_nsswitch(fail2ban_t) libs_use_ld_so(fail2ban_t) libs_use_shared_libs(fail2ban_t) -logging_read_generic_logs(fail2ban_t) +logging_read_all_logs(fail2ban_t) miscfiles_read_localization(fail2ban_t) +mta_send_mail(fail2ban_t) + optional_policy(` apache_read_log(fail2ban_t) ')