From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id AAFFB138010 for ; Fri, 28 Sep 2012 17:51:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 550FFE071D; Fri, 28 Sep 2012 17:50:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 11F3BE0716 for ; Fri, 28 Sep 2012 17:50:38 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 33F7533D187 for ; Fri, 28 Sep 2012 17:50:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id D9A1AE544E for ; Fri, 28 Sep 2012 17:50:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348854072.cf4135ed179e1864d9251c9eb8a8c6e6c172b894.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/denyhosts.fc policy/modules/contrib/denyhosts.if policy/modules/contrib/denyhosts.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cf4135ed179e1864d9251c9eb8a8c6e6c172b894 X-VCS-Branch: master Date: Fri, 28 Sep 2012 17:50:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a93bf0e4-899a-4913-a7b2-bad2a5782a78 X-Archives-Hash: e7c08d38efa2145401e3f065b657eb21 commit: cf4135ed179e1864d9251c9eb8a8c6e6c172b894 Author: Dominick Grift gmail com> AuthorDate: Fri Sep 28 08:23:59 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Sep 28 17:41:12 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf4135ed Changes to the denyhosts policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/denyhosts.fc | 8 +++++--- policy/modules/contrib/denyhosts.if | 24 +++++++++--------------- policy/modules/contrib/denyhosts.te | 24 ++++++++++++------------ 3 files changed, 26 insertions(+), 30 deletions(-) diff --git a/policy/modules/contrib/denyhosts.fc b/policy/modules/contrib/denyhosts.fc index 257fef6..89b0b77 100644 --- a/policy/modules/contrib/denyhosts.fc +++ b/policy/modules/contrib/denyhosts.fc @@ -1,7 +1,9 @@ /etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) -/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) +/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) + +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) -/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) /var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) -/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) + +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if index 567865f..a7326da 100644 --- a/policy/modules/contrib/denyhosts.if +++ b/policy/modules/contrib/denyhosts.if @@ -1,12 +1,4 @@ -## DenyHosts SSH dictionary attack mitigation -## -##

-## DenyHosts is a script intended to be run by Linux -## system administrators to help thwart SSH server attacks -## (also known as dictionary based attacks and brute force -## attacks). -##

-## +## SSH dictionary attack mitigation. ######################################## ## @@ -18,17 +10,19 @@ ## ## # -interface(`denyhosts_domtrans', ` +interface(`denyhosts_domtrans',` gen_require(` type denyhosts_t, denyhosts_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) ') ######################################## ## -## Execute denyhost server in the denyhost domain. +## Execute denyhost server in the +## denyhost domain. ## ## ## @@ -36,7 +30,7 @@ interface(`denyhosts_domtrans', ` ## ## # -interface(`denyhosts_initrc_domtrans', ` +interface(`denyhosts_initrc_domtrans',` gen_require(` type denyhosts_initrc_exec_t; ') @@ -46,8 +40,8 @@ interface(`denyhosts_initrc_domtrans', ` ######################################## ## -## All of the rules required to administrate -## an denyhosts environment. +## All of the rules required to +## administrate an denyhosts environment. ## ## ## @@ -60,7 +54,7 @@ interface(`denyhosts_initrc_domtrans', ` ## ## # -interface(`denyhosts_admin', ` +interface(`denyhosts_admin',` gen_require(` type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; type denyhosts_var_log_t, denyhosts_initrc_exec_t; diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te index 8ba9425..2c544f5 100644 --- a/policy/modules/contrib/denyhosts.te +++ b/policy/modules/contrib/denyhosts.te @@ -1,8 +1,8 @@ -policy_module(denyhosts, 1.0.0) +policy_module(denyhosts, 1.0.1) ######################################## # -# DenyHosts personal declarations. +# Declarations # type denyhosts_t; @@ -23,15 +23,14 @@ logging_log_file(denyhosts_var_log_t) ######################################## # -# DenyHosts personal policy. +# Local policy # -allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; -allow denyhosts_t self:tcp_socket create_socket_perms; -allow denyhosts_t self:udp_socket create_socket_perms; +allow denyhosts_t self:capability sys_tty_config; +allow denyhosts_t self:fifo_file rw_fifo_file_perms; +allow denyhosts_t self:netlink_route_socket nlmsg_write; manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) -files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file) manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) @@ -43,24 +42,25 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) +kernel_read_network_state(denyhosts_t) kernel_read_system_state(denyhosts_t) corecmd_exec_bin(denyhosts_t) +corecmd_exec_shell(denyhosts_t) corenet_all_recvfrom_unlabeled(denyhosts_t) corenet_all_recvfrom_netlabel(denyhosts_t) corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) -corenet_tcp_bind_generic_node(denyhosts_t) -corenet_tcp_connect_smtp_port(denyhosts_t) + corenet_sendrecv_smtp_client_packets(denyhosts_t) +corenet_tcp_connect_smtp_port(denyhosts_t) +corenet_tcp_sendrecv_smtp_port(denyhosts_t) dev_read_urand(denyhosts_t) -files_read_etc_files(denyhosts_t) - -# /var/log/secure logging_read_generic_logs(denyhosts_t) +logging_send_syslog_msg(denyhosts_t) miscfiles_read_localization(denyhosts_t)