From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: New fail2ban policy
Date: Tue, 20 Mar 2007 16:27:57 -0400 [thread overview]
Message-ID: <460043CD.1060700@redhat.com> (raw)
In-Reply-To: <1174420865.16552.3.camel@sgc>
[-- Attachment #1: Type: text/plain, Size: 641 bytes --]
Christopher J. PeBenito wrote:
> On Thu, 2007-03-08 at 09:28 -0500, Daniel J Walsh wrote:
>
> This seems to have rules similar to iptables:
>
>
>> +allow fail2ban_t self : capability { net_admin net_raw };
>> +allow fail2ban_t self : rawip_socket { getopt create setopt };
>>
>
>
> But also transitions to iptables?
>
>
Yes remove these
>> +optional_policy(`
>> + iptables_domtrans(fail2ban_t)
>> +')
>>
>
> This also seems out of place:
>
>
>> +selinux_get_fs_mount(fail2ban_t)
>>
>
>
Not sure, but retesting now it did not complain so remove.
Also seems to need
kernel_read_system_state(fail2ban_t)
[-- Attachment #2: fail2ban.te --]
[-- Type: text/plain, Size: 1738 bytes --]
policy_module(fail2ban,1.0.0)
########################################
#
# Declarations
#
type fail2ban_t;
type fail2ban_exec_t;
domain_type(fail2ban_t)
init_daemon_domain(fail2ban_t, fail2ban_exec_t)
# log files
type fail2ban_log_t;
logging_log_file(fail2ban_log_t)
# pid files
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
########################################
#
# fail2ban local policy
#
allow fail2ban_t self : process signal;
# Init script handling
init_use_fds(fail2ban_t)
init_use_script_ptys(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)
## internal communication is often done using fifo and unix sockets.
allow fail2ban_t self:fifo_file rw_file_perms;
allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
# Some common macros (you might be able to remove some)
files_read_etc_files(fail2ban_t)
kernel_read_system_state(fail2ban_t)
libs_use_ld_so(fail2ban_t)
libs_use_shared_libs(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
# log files
allow fail2ban_t fail2ban_log_t:file manage_file_perms;
allow fail2ban_t fail2ban_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(fail2ban_t,fail2ban_log_t,{ file dir })
# pid file
allow fail2ban_t fail2ban_var_run_t:file manage_file_perms;
allow fail2ban_t fail2ban_var_run_t:dir rw_dir_perms;
files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
corecmd_search_sbin(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
dev_read_urand(fail2ban_t)
files_read_usr_files(fail2ban_t)
logging_read_generic_logs(fail2ban_t)
optional_policy(`
iptables_domtrans(fail2ban_t)
')
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(fail2ban_t)
term_dontaudit_use_generic_ptys(fail2ban_t)
')
next prev parent reply other threads:[~2007-03-20 20:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-08 14:28 New fail2ban policy Daniel J Walsh
2007-03-20 20:01 ` Christopher J. PeBenito
2007-03-20 20:27 ` Daniel J Walsh [this message]
2007-03-21 14:47 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=460043CD.1060700@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.