diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if index aa53435..83d0241 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -98,6 +98,26 @@ interface(`fail2ban_read_pid_files',` allow $1 fail2ban_var_run_t:file read_file_perms; ') +##################################### +## +## Connect to fail2ban over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_stream_connect',` + gen_require(` + type fail2ban_t, fail2ban_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) +') + ######################################## ## ## All of the rules required to administrate @@ -135,3 +155,21 @@ interface(`fail2ban_admin',` files_list_pids($1) admin_pattern($1, fail2ban_var_run_t) ') + +######################################## +## +## Read and write to an fail2ban unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; +')