policy_module(fail2ban,1.0.0)

########################################
#
# Declarations
#

type fail2ban_t;
type fail2ban_exec_t;
domain_type(fail2ban_t)
init_daemon_domain(fail2ban_t, fail2ban_exec_t)

# log files
type fail2ban_log_t;
logging_log_file(fail2ban_log_t)

# pid files
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)

########################################
#
# fail2ban local policy
#

allow fail2ban_t self : process signal;

# Init script handling
init_use_fds(fail2ban_t)
init_use_script_ptys(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)

## internal communication is often done using fifo and unix sockets.
allow fail2ban_t self:fifo_file rw_file_perms;
allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;

# Some common macros (you might be able to remove some)
files_read_etc_files(fail2ban_t)

kernel_read_system_state(fail2ban_t)

libs_use_ld_so(fail2ban_t)
libs_use_shared_libs(fail2ban_t)

miscfiles_read_localization(fail2ban_t)

# log files
allow fail2ban_t fail2ban_log_t:file manage_file_perms;
allow fail2ban_t fail2ban_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(fail2ban_t,fail2ban_log_t,{ file dir })

# pid file
allow fail2ban_t fail2ban_var_run_t:file manage_file_perms;
allow fail2ban_t fail2ban_var_run_t:dir rw_dir_perms;
files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)

corecmd_search_sbin(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)

dev_read_urand(fail2ban_t)

files_read_usr_files(fail2ban_t)

logging_read_generic_logs(fail2ban_t)

optional_policy(`
	iptables_domtrans(fail2ban_t)
')

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(fail2ban_t)
	term_dontaudit_use_generic_ptys(fail2ban_t)
')