[selinux-policy: 1999/3172] trunk: fail2ban update from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:57:38 UTC 2010 

commit cdac989dee9a1c817bb86f55b2186fbea42a3c9d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Sep 5 14:17:18 2008 +0000

    trunk: fail2ban update from dan.

 policy/modules/kernel/corenetwork.te.in |    3 ++-
 policy/modules/services/fail2ban.fc     |    4 ++++
 policy/modules/services/fail2ban.te     |   31 +++++++++++++++++++++++++++----
 3 files changed, 33 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index d686641..58d4da0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.2.17)
+policy_module(corenetwork, 1.2.18)
 
 ########################################
 #
@@ -174,6 +174,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(wccp, udp,2048,s0)
+network_port(whois, tcp,43,s0, udp,43,s0)
 network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 network_port(xfs, tcp,7100,s0)
diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc
index a7ee95e..7b90566 100644
--- a/policy/modules/services/fail2ban.fc
+++ b/policy/modules/services/fail2ban.fc
@@ -1,3 +1,7 @@
+/etc/rc.d/init.d/fail2ban --	gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
+
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 2f3e8c4..e4763b5 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -1,5 +1,5 @@
 
-policy_module(fail2ban, 1.1.0)
+policy_module(fail2ban, 1.1.1)
 
 ########################################
 #
@@ -18,6 +18,9 @@ logging_log_file(fail2ban_log_t)
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
 
+type fail2ban_script_exec_t;
+init_script_file(fail2ban_script_exec_t)
+
 ########################################
 #
 # fail2ban local policy
@@ -25,7 +28,8 @@ files_pid_file(fail2ban_var_run_t)
 
 allow fail2ban_t self:process signal;
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
-allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow fail2ban_t self:tcp_socket create_stream_socket_perms;
 
 # log files
 allow fail2ban_t fail2ban_log_t:dir setattr;
@@ -33,28 +37,47 @@ manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
 
 # pid file
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
 
 kernel_read_system_state(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
 
+corenet_all_recvfrom_unlabeled(fail2ban_t)
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_all_nodes(fail2ban_t)
+corenet_tcp_sendrecv_all_ports(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+
 dev_read_urand(fail2ban_t)
 
 domain_use_interactive_fds(fail2ban_t)
 
 files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
 files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
 
 libs_use_ld_so(fail2ban_t)
 libs_use_shared_libs(fail2ban_t)
 
-logging_read_generic_logs(fail2ban_t)
+logging_read_all_logs(fail2ban_t)
 
 miscfiles_read_localization(fail2ban_t)
 
+mta_send_mail(fail2ban_t)
+
 optional_policy(`
 	apache_read_log(fail2ban_t)
 ')

More information about the scm-commits mailing list