Skip to content

Commit

Permalink
Remove the fail2ban module sources
Browse files Browse the repository at this point in the history
The package now maintains its own selinux policy module.
  • Loading branch information
zpytela committed Oct 11, 2024
1 parent dca5983 commit 8663090
Show file tree
Hide file tree
Showing 5 changed files with 132 additions and 322 deletions.
7 changes: 0 additions & 7 deletions dist/mls/modules.conf
Original file line number Diff line number Diff line change
Expand Up @@ -805,13 +805,6 @@ entropyd = module
#
exim = module

# Layer: services
# Module: fail2ban
#
# daiemon that bans IP that makes too many password failures
#
fail2ban = module

# Layer: services
# Module: fetchmail
#
Expand Down
7 changes: 0 additions & 7 deletions dist/targeted/modules.conf
Original file line number Diff line number Diff line change
Expand Up @@ -946,13 +946,6 @@ entropyd = module
#
exim = module

# Layer: services
# Module: fail2ban
#
# daiemon that bans IP that makes too many password failures
#
fail2ban = module

# Layer: services
# Module: fcoe
#
Expand Down
9 changes: 0 additions & 9 deletions policy/modules/contrib/fail2ban.fc

This file was deleted.

236 changes: 132 additions & 104 deletions policy/modules/contrib/fail2ban.if
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,15 @@
## </summary>
## </param>
#
interface(`fail2ban_domtrans',`
gen_require(`
type fail2ban_t, fail2ban_exec_t;
ifndef(`fail2ban_domtrans',`
interface(`fail2ban_domtrans',`
gen_require(`
type fail2ban_t, fail2ban_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')

corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')

#######################################
Expand All @@ -30,13 +32,15 @@ interface(`fail2ban_domtrans',`
## </summary>
## </param>
#
interface(`fail2ban_domtrans_client',`
gen_require(`
type fail2ban_client_t, fail2ban_client_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
ifndef(`fail2ban_domtrans_client',`
interface(`fail2ban_domtrans_client',`
gen_require(`
type fail2ban_client_t, fail2ban_client_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
')
')

#######################################
Expand All @@ -57,13 +61,15 @@ interface(`fail2ban_domtrans_client',`
## </summary>
## </param>
#
interface(`fail2ban_run_client',`
gen_require(`
attribute_role fail2ban_client_roles;
')

fail2ban_domtrans_client($1)
roleattribute $2 fail2ban_client_roles;
ifndef(`fail2ban_run_client',`
interface(`fail2ban_run_client',`
gen_require(`
attribute_role fail2ban_client_roles;
')

fail2ban_domtrans_client($1)
roleattribute $2 fail2ban_client_roles;
')
')

#####################################
Expand All @@ -77,13 +83,15 @@ interface(`fail2ban_run_client',`
## </summary>
## </param>
#
interface(`fail2ban_stream_connect',`
gen_require(`
type fail2ban_t, fail2ban_var_run_t;
ifndef(`fail2ban_stream_connect',`
interface(`fail2ban_stream_connect',`
gen_require(`
type fail2ban_t, fail2ban_var_run_t;
')

files_search_pids($1)
stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
')

files_search_pids($1)
stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
')

########################################
Expand All @@ -96,13 +104,15 @@ interface(`fail2ban_stream_connect',`
## </summary>
## </param>
#
interface(`fail2ban_rw_inherited_tmp_files',`
gen_require(`
type fail2ban_tmp_t;
ifndef(`fail2ban_rw_inherited_tmp_files',`
interface(`fail2ban_rw_inherited_tmp_files',`
gen_require(`
type fail2ban_tmp_t;
')

files_search_tmp($1)
allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')

files_search_tmp($1)
allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')

########################################
Expand All @@ -115,12 +125,14 @@ interface(`fail2ban_rw_inherited_tmp_files',`
## </summary>
## </param>
#
interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
ifndef(`fail2ban_rw_stream_sockets',`
interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')

allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
')
')

#######################################
Expand All @@ -134,12 +146,14 @@ interface(`fail2ban_rw_stream_sockets',`
## </summary>
## </param>
#
interface(`fail2ban_dontaudit_use_fds',`
gen_require(`
type fail2ban_t;
')
ifndef(`fail2ban_dontaudit_use_fds',`
interface(`fail2ban_dontaudit_use_fds',`
gen_require(`
type fail2ban_t;
')

dontaudit $1 fail2ban_t:fd use;
dontaudit $1 fail2ban_t:fd use;
')
')

#######################################
Expand All @@ -153,12 +167,14 @@ interface(`fail2ban_dontaudit_use_fds',`
## </summary>
## </param>
#
interface(`fail2ban_dontaudit_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
ifndef(`fail2ban_dontaudit_rw_stream_sockets',`
interface(`fail2ban_dontaudit_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')

dontaudit $1 fail2ban_t:unix_stream_socket { read write };
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
')

########################################
Expand All @@ -171,13 +187,15 @@ interface(`fail2ban_dontaudit_rw_stream_sockets',`
## </summary>
## </param>
#
interface(`fail2ban_read_lib_files',`
gen_require(`
type fail2ban_var_lib_t;
ifndef(`fail2ban_read_lib_files',`
interface(`fail2ban_read_lib_files',`
gen_require(`
type fail2ban_var_lib_t;
')

files_search_var_lib($1)
read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')

files_search_var_lib($1)
read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')

########################################
Expand All @@ -191,14 +209,16 @@ interface(`fail2ban_read_lib_files',`
## </param>
## <rolecap/>
#
interface(`fail2ban_read_log',`
gen_require(`
type fail2ban_log_t;
ifndef(`fail2ban_read_log',`
interface(`fail2ban_read_log',`
gen_require(`
type fail2ban_log_t;
')

logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file read_file_perms;
')

logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file read_file_perms;
')

########################################
Expand All @@ -212,14 +232,16 @@ interface(`fail2ban_read_log',`
## </summary>
## </param>
#
interface(`fail2ban_append_log',`
gen_require(`
type fail2ban_log_t;
ifndef(`fail2ban_append_log',`
interface(`fail2ban_append_log',`
gen_require(`
type fail2ban_log_t;
')

logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
')

logging_search_logs($1)
allow $1 fail2ban_log_t:dir list_dir_perms;
allow $1 fail2ban_log_t:file append_file_perms;
')

########################################
Expand All @@ -232,13 +254,15 @@ interface(`fail2ban_append_log',`
## </summary>
## </param>
#
interface(`fail2ban_read_pid_files',`
gen_require(`
type fail2ban_var_run_t;
ifndef(`fail2ban_read_pid_files',`
interface(`fail2ban_read_pid_files',`
gen_require(`
type fail2ban_var_run_t;
')

files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms;
')

files_search_pids($1)
allow $1 fail2ban_var_run_t:file read_file_perms;
')

########################################
Expand All @@ -251,14 +275,16 @@ interface(`fail2ban_read_pid_files',`
## </summary>
## </param>
#
interface(`fail2ban_dontaudit_leaks',`
gen_require(`
type fail2ban_t;
ifndef(`fail2ban_dontaudit_leaks',`
interface(`fail2ban_dontaudit_leaks',`
gen_require(`
type fail2ban_t;
')

dontaudit $1 fail2ban_t:tcp_socket { read write };
dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')

dontaudit $1 fail2ban_t:tcp_socket { read write };
dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')

########################################
Expand All @@ -278,36 +304,38 @@ interface(`fail2ban_dontaudit_leaks',`
## </param>
## <rolecap/>
#
interface(`fail2ban_admin',`
gen_require(`
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
type fail2ban_client_t;
')
ifndef(`fail2ban_admin',`
interface(`fail2ban_admin',`
gen_require(`
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
type fail2ban_client_t;
')

allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })

tunable_policy(`deny_ptrace',`',`
allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
')
tunable_policy(`deny_ptrace',`',`
allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
')

init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r;
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 fail2ban_initrc_exec_t system_r;
allow $2 system_r;

logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)

files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)

files_list_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)
files_list_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)

files_list_tmp($1)
admin_pattern($1, fail2ban_tmp_t)
files_list_tmp($1)
admin_pattern($1, fail2ban_tmp_t)

fail2ban_run_client($1, $2)
fail2ban_run_client($1, $2)
')
')
Loading

0 comments on commit 8663090

Please sign in to comment.