New fail2ban policy

New fail2ban policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 17 bytes --]

Resend to list.


[-- Attachment #2: nsaserefpolicy_policy_modules_services_fail2ban.patch --]
[-- Type: text/x-patch, Size: 4601 bytes --]

--- nsaserefpolicy/policy/modules/services/fail2ban.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/fail2ban.fc	2007-03-08 08:42:37.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/bin/fail2ban		--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/log/fail2ban.log		--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.pid		--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
--- nsaserefpolicy/policy/modules/services/fail2ban.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/fail2ban.if	2007-03-08 08:42:37.000000000 -0500
@@ -0,0 +1,87 @@
+
+## <summary>policy for fail2ban</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+	gen_require(`
+		type fail2ban_t, fail2ban_exec_t;
+	')
+
+	domain_auto_trans($1,fail2ban_exec_t,fail2ban_t)
+
+	allow fail2ban_t $1:fd use;
+	allow fail2ban_t $1:fifo_file rw_file_perms;
+	allow fail2ban_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	fail2ban log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+	gen_require(`
+		type var_log_t, fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file { getattr append };
+')
+
+
+########################################
+## <summary>
+##	Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+	gen_require(`
+		type fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 fail2ban_var_run_t:file r_file_perms;
+')
+
--- nsaserefpolicy/policy/modules/services/fail2ban.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/services/fail2ban.te	2007-03-08 08:42:37.000000000 -0500
@@ -0,0 +1,77 @@
+policy_module(fail2ban,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fail2ban_t;
+type fail2ban_exec_t;
+domain_type(fail2ban_t)
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+# log files
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+# pid files
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+########################################
+#
+# fail2ban local policy
+#
+
+allow fail2ban_t self : capability { net_admin net_raw };
+allow fail2ban_t self : process signal;
+allow fail2ban_t self : rawip_socket { getopt create setopt };
+
+# Init script handling
+init_use_fds(fail2ban_t)
+init_use_script_ptys(fail2ban_t)
+domain_use_interactive_fds(fail2ban_t)
+
+## internal communication is often done using fifo and unix sockets.
+allow fail2ban_t self:fifo_file rw_file_perms;
+allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(fail2ban_t)
+
+libs_use_ld_so(fail2ban_t)
+libs_use_shared_libs(fail2ban_t)
+
+miscfiles_read_localization(fail2ban_t)
+
+# log files
+allow fail2ban_t fail2ban_log_t:file manage_file_perms;
+allow fail2ban_t fail2ban_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(fail2ban_t,fail2ban_log_t,{ file dir })
+
+# pid file
+allow fail2ban_t fail2ban_var_run_t:file manage_file_perms;
+allow fail2ban_t fail2ban_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
+
+corecmd_search_sbin(fail2ban_t)
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+
+files_read_usr_files(fail2ban_t)
+
+logging_read_generic_logs(fail2ban_t)
+
+selinux_get_fs_mount(fail2ban_t)
+
+optional_policy(`
+	iptables_domtrans(fail2ban_t)
+')
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(fail2ban_t)
+	term_dontaudit_use_generic_ptys(fail2ban_t)
+')
+

Re: New fail2ban policy

[Christopher J. PeBenito]

On Thu, 2007-03-08 at 09:28 -0500, Daniel J Walsh wrote:

This seems to have rules similar to iptables:

> +allow fail2ban_t self : capability { net_admin net_raw };
> +allow fail2ban_t self : rawip_socket { getopt create setopt };

But also transitions to iptables?

> +optional_policy(`
> +       iptables_domtrans(fail2ban_t)
> +')

This also seems out of place:

> +selinux_get_fs_mount(fail2ban_t)

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New fail2ban policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 641 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2007-03-08 at 09:28 -0500, Daniel J Walsh wrote:
>
> This seems to have rules similar to iptables:
>
>   
>> +allow fail2ban_t self : capability { net_admin net_raw };
>> +allow fail2ban_t self : rawip_socket { getopt create setopt };
>>     
>
>   
> But also transitions to iptables?
>
>   
Yes remove these
>> +optional_policy(`
>> +       iptables_domtrans(fail2ban_t)
>> +')
>>     
>
> This also seems out of place:
>
>   
>> +selinux_get_fs_mount(fail2ban_t)
>>     
>
>   
Not sure, but retesting now it did not complain so remove.

Also seems to need

kernel_read_system_state(fail2ban_t)



[-- Attachment #2: fail2ban.te --]
[-- Type: text/plain, Size: 1738 bytes --]

policy_module(fail2ban,1.0.0)

########################################
#
# Declarations
#

type fail2ban_t;
type fail2ban_exec_t;
domain_type(fail2ban_t)
init_daemon_domain(fail2ban_t, fail2ban_exec_t)

# log files
type fail2ban_log_t;
logging_log_file(fail2ban_log_t)

# pid files
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)

########################################
#
# fail2ban local policy
#

allow fail2ban_t self : process signal;

# Init script handling
init_use_fds(fail2ban_t)
init_use_script_ptys(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)

## internal communication is often done using fifo and unix sockets.
allow fail2ban_t self:fifo_file rw_file_perms;
allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;

# Some common macros (you might be able to remove some)
files_read_etc_files(fail2ban_t)

kernel_read_system_state(fail2ban_t)

libs_use_ld_so(fail2ban_t)
libs_use_shared_libs(fail2ban_t)

miscfiles_read_localization(fail2ban_t)

# log files
allow fail2ban_t fail2ban_log_t:file manage_file_perms;
allow fail2ban_t fail2ban_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(fail2ban_t,fail2ban_log_t,{ file dir })

# pid file
allow fail2ban_t fail2ban_var_run_t:file manage_file_perms;
allow fail2ban_t fail2ban_var_run_t:dir rw_dir_perms;
files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)

corecmd_search_sbin(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)

dev_read_urand(fail2ban_t)

files_read_usr_files(fail2ban_t)

logging_read_generic_logs(fail2ban_t)

optional_policy(`
	iptables_domtrans(fail2ban_t)
')

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(fail2ban_t)
	term_dontaudit_use_generic_ptys(fail2ban_t)
')

Re: New fail2ban policy

[Christopher J. PeBenito]

On Tue, 2007-03-20 at 16:27 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2007-03-08 at 09:28 -0500, Daniel J Walsh wrote:
> >
> > This seems to have rules similar to iptables:
> >
> >   
> >> +allow fail2ban_t self : capability { net_admin net_raw };
> >> +allow fail2ban_t self : rawip_socket { getopt create setopt };
> >>     
> >
> >   
> > But also transitions to iptables?
> >
> >   
> Yes remove these
> >> +optional_policy(`
> >> +       iptables_domtrans(fail2ban_t)
> >> +')
> >>     
> >
> > This also seems out of place:
> >
> >   
> >> +selinux_get_fs_mount(fail2ban_t)
> >>     
> >
> >   
> Not sure, but retesting now it did not complain so remove.
> 
> Also seems to need
> 
> kernel_read_system_state(fail2ban_t)

Merged.  I also added an optional log reading for apache and ftp since
the project's page says it can read these logs too.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.