From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 13BAA138010 for ; Tue, 2 Oct 2012 18:24:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4DF9A21C027; Tue, 2 Oct 2012 18:11:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id DFC0021C016 for ; Tue, 2 Oct 2012 18:11:12 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4038233D71E for ; Tue, 2 Oct 2012 18:11:03 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 423D1E544F for ; Tue, 2 Oct 2012 18:11:00 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201140.803076cd0dc344f6d04b6509508fcfd9f7de80f5.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/fail2ban.fc policy/modules/contrib/fail2ban.if policy/modules/contrib/fail2ban.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 803076cd0dc344f6d04b6509508fcfd9f7de80f5 X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 604d1fe4-8f52-4994-aacd-23208532696e X-Archives-Hash: 39932090689a41de925e16850f748566 commit: 803076cd0dc344f6d04b6509508fcfd9f7de80f5 Author: Dominick Grift gmail com> AuthorDate: Mon Oct 1 07:27:01 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:05:40 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=803076cd Changes to the fail2ban policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/fail2ban.fc | 11 +++-- policy/modules/contrib/fail2ban.if | 85 +++++++++++++++++++++++++++++------ policy/modules/contrib/fail2ban.te | 74 ++++++++++++++++++++++++------- 3 files changed, 133 insertions(+), 37 deletions(-) diff --git a/policy/modules/contrib/fail2ban.fc b/policy/modules/contrib/fail2ban.fc index 0de2b83..4da938f 100644 --- a/policy/modules/contrib/fail2ban.fc +++ b/policy/modules/contrib/fail2ban.fc @@ -1,8 +1,9 @@ -/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) +/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) -/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) -/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) +/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) +/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if index f590a1f..a2f8aa2 100644 --- a/policy/modules/contrib/fail2ban.if +++ b/policy/modules/contrib/fail2ban.if @@ -15,13 +15,61 @@ interface(`fail2ban_domtrans',` type fail2ban_t, fail2ban_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) ') +######################################## +## +## Execute the fail2ban client in +## the fail2ban client domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_domtrans_client',` + gen_require(` + type fail2ban_client_t, fail2ban_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) +') + +######################################## +## +## Execute fail2ban client in the +## fail2ban client domain, and allow +## the specified role the fail2ban +## client domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`fail2ban_run_client',` + gen_require(` + attribute_role fail2ban_client_roles; + ') + + fail2ban_domtrans_client($1) + roleattribute $2 fail2ban_client_roles; +') + ##################################### ## -## Connect to fail2ban over a unix domain -## stream socket. +## Connect to fail2ban over a +## unix domain stream socket. ## ## ## @@ -40,7 +88,8 @@ interface(`fail2ban_stream_connect',` ######################################## ## -## Read and write to an fail2ban unix stream socket. +## Read and write fail2ban unix +## stream sockets. ## ## ## @@ -77,7 +126,7 @@ interface(`fail2ban_read_lib_files',` ######################################## ## -## Allow the specified domain to read fail2ban's log files. +## Read fail2ban log files. ## ## ## @@ -92,14 +141,12 @@ interface(`fail2ban_read_log',` ') logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; allow $1 fail2ban_log_t:file read_file_perms; ') ######################################## ## -## Allow the specified domain to append -## fail2ban log files. +## Append fail2ban log files. ## ## ## @@ -113,13 +160,12 @@ interface(`fail2ban_append_log',` ') logging_search_logs($1) - allow $1 fail2ban_log_t:dir list_dir_perms; allow $1 fail2ban_log_t:file append_file_perms; ') ######################################## ## -## Read fail2ban PID files. +## Read fail2ban pid files. ## ## ## @@ -138,8 +184,8 @@ interface(`fail2ban_read_pid_files',` ######################################## ## -## All of the rules required to administrate -## an fail2ban environment +## All of the rules required to +## administrate an fail2ban environment. ## ## ## @@ -148,19 +194,20 @@ interface(`fail2ban_read_pid_files',` ## ## ## -## The role to be allowed to manage the fail2ban domain. +## Role allowed access. ## ## ## # interface(`fail2ban_admin',` gen_require(` - type fail2ban_t, fail2ban_log_t; + type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; type fail2ban_var_run_t, fail2ban_initrc_exec_t; + type fail2ban_var_lib_t, fail2ban_client_t; ') - allow $1 fail2ban_t:process { ptrace signal_perms }; - ps_process_pattern($1, fail2ban_t) + allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) domain_system_change_exemption($1) @@ -172,4 +219,12 @@ interface(`fail2ban_admin',` files_list_pids($1) admin_pattern($1, fail2ban_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, fail2ban_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, fail2ban_tmp_t) + + fail2ban_run_client($1, $2) ') diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te index 4cdbca5..b498e66 100644 --- a/policy/modules/contrib/fail2ban.te +++ b/policy/modules/contrib/fail2ban.te @@ -1,10 +1,12 @@ -policy_module(fail2ban, 1.4.0) +policy_module(fail2ban, 1.4.1) ######################################## # # Declarations # +attribute_role fail2ban_client_roles; + type fail2ban_t; type fail2ban_exec_t; init_daemon_domain(fail2ban_t, fail2ban_exec_t) @@ -12,43 +14,51 @@ init_daemon_domain(fail2ban_t, fail2ban_exec_t) type fail2ban_initrc_exec_t; init_script_file(fail2ban_initrc_exec_t) -# log files type fail2ban_log_t; logging_log_file(fail2ban_log_t) type fail2ban_var_lib_t; files_type(fail2ban_var_lib_t) -# pid files type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) +type fail2ban_tmp_t; +files_tmp_file(fail2ban_tmp_t) + +type fail2ban_client_t; +type fail2ban_client_exec_t; +init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) +role fail2ban_client_roles types fail2ban_client_t; + ######################################## # -# fail2ban local policy +# Server Local policy # -allow fail2ban_t self:capability { sys_tty_config }; +allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; -allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -allow fail2ban_t self:unix_dgram_socket create_socket_perms; -allow fail2ban_t self:tcp_socket create_stream_socket_perms; +allow fail2ban_t self:unix_stream_socket { accept connectto listen }; +allow fail2ban_t self:tcp_socket { accept listen }; -# log files -allow fail2ban_t fail2ban_log_t:dir setattr; -manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) +manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) + manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file }) -# pid file manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) # FAM support needs this (/proc/self and parent stuff) read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) @@ -62,15 +72,16 @@ corenet_all_recvfrom_unlabeled(fail2ban_t) corenet_all_recvfrom_netlabel(fail2ban_t) corenet_tcp_sendrecv_generic_if(fail2ban_t) corenet_tcp_sendrecv_generic_node(fail2ban_t) -corenet_tcp_sendrecv_all_ports(fail2ban_t) -corenet_tcp_connect_whois_port(fail2ban_t) + corenet_sendrecv_whois_client_packets(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) +corenet_tcp_sendrecv_whois_port(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) +domain_dontaudit_read_all_domains_state(fail2ban_t) -files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) files_read_usr_files(fail2ban_t) files_list_var(fail2ban_t) @@ -87,6 +98,8 @@ logging_send_syslog_msg(fail2ban_t) miscfiles_read_localization(fail2ban_t) +sysnet_manage_config(fail2ban_t) + mta_send_mail(fail2ban_t) optional_policy(` @@ -100,3 +113,30 @@ optional_policy(` optional_policy(` iptables_domtrans(fail2ban_t) ') + +optional_policy(` + libs_exec_ldconfig(fail2ban_t) +') + +optional_policy(` + shorewall_domtrans(fail2ban_t) +') + +######################################## +# +# Client Local policy +# + +domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + +stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + +kernel_read_system_state(fail2ban_client_t) + +corecmd_exec_bin(fail2ban_client_t) + +files_read_etc_files(fail2ban_client_t) +files_read_usr_files(fail2ban_client_t) +files_search_pids(fail2ban_client_t) + +miscfiles_read_localization(fail2ban_client_t)