Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/fail2ban.te

policy_module(fail2ban, 1.5.0)

########################################
#
# Declarations
#

attribute_role fail2ban_client_roles;

type fail2ban_t;
type fail2ban_exec_t;
init_daemon_domain(fail2ban_t, fail2ban_exec_t)

type fail2ban_initrc_exec_t;
init_script_file(fail2ban_initrc_exec_t)

type fail2ban_log_t;
logging_log_file(fail2ban_log_t)

type fail2ban_var_lib_t;
files_type(fail2ban_var_lib_t)

type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)

type fail2ban_tmp_t;
files_tmp_file(fail2ban_tmp_t)

type fail2ban_client_t;
type fail2ban_client_exec_t;
init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
role fail2ban_client_roles types fail2ban_client_t;

########################################
#
# Server Local policy
#

allow fail2ban_t self:capability { dac_read_search sys_tty_config };
allow fail2ban_t self:process { getpgid setsched signal };
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
allow fail2ban_t self:tcp_socket { accept listen };
allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;

read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)

allow fail2ban_t fail2ban_log_t:file watch;
append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)

manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })

manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)

manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)

kernel_read_system_state(fail2ban_t)
kernel_read_network_state(fail2ban_t)
kernel_read_net_sysctls(fail2ban_t)

corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)

corenet_all_recvfrom_netlabel(fail2ban_t)
corenet_tcp_sendrecv_generic_if(fail2ban_t)
corenet_tcp_sendrecv_generic_node(fail2ban_t)

corenet_sendrecv_whois_client_packets(fail2ban_t)
corenet_tcp_connect_whois_port(fail2ban_t)
corenet_tcp_sendrecv_whois_port(fail2ban_t)

dev_read_urand(fail2ban_t)
dev_read_sysfs(fail2ban_t)

domain_use_interactive_fds(fail2ban_t)
domain_dontaudit_read_all_domains_state(fail2ban_t)

files_read_etc_runtime_files(fail2ban_t)
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)

fs_getattr_all_fs(fail2ban_t)

auth_use_nsswitch(fail2ban_t)

logging_read_all_logs(fail2ban_t)
logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
logging_read_syslog_pid(fail2ban_t)
logging_dontaudit_search_audit_logs(fail2ban_t)
logging_mmap_generic_logs(fail2ban_t)
logging_mmap_journal(fail2ban_t)
logging_watch_audit_log_files(fail2ban_t)
logging_watch_audit_log_dirs(fail2ban_t)
logging_watch_generic_log_dirs(fail2ban_t)
logging_watch_journal_dir(fail2ban_t)

mta_send_mail(fail2ban_t)

sysnet_manage_config(fail2ban_t)

optional_policy(`
	apache_read_log(fail2ban_t)
')

optional_policy(`
	dbus_system_bus_client(fail2ban_t)
	dbus_connect_system_bus(fail2ban_t)

	optional_policy(`
		firewalld_dbus_chat(fail2ban_t)
	')
')

optional_policy(`
	ftp_read_log(fail2ban_t)
')

optional_policy(`
	gnome_dontaudit_search_config(fail2ban_t)
')

optional_policy(`
	iptables_domtrans(fail2ban_t)
')

optional_policy(`
	allow fail2ban_t self:capability sys_resource;
	allow fail2ban_t self:process setrlimit;
	journalctl_exec(fail2ban_t)
')

optional_policy(`
	libs_exec_ldconfig(fail2ban_t)
')

optional_policy(`
	rpm_exec(fail2ban_t)
')

optional_policy(`
	shorewall_domtrans(fail2ban_t)
')

########################################
#
# Client Local policy
#

allow fail2ban_client_t self:capability { dac_read_search  };
allow fail2ban_client_t self:unix_stream_socket { create connect write read };

domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)

allow fail2ban_client_t fail2ban_t:process { rlimitinh };

dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
allow fail2ban_client_t fail2ban_var_run_t:dir write;
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)

kernel_read_system_state(fail2ban_client_t)

corecmd_exec_bin(fail2ban_client_t)

dev_read_urand(fail2ban_client_t)
dev_read_rand(fail2ban_client_t)

domain_use_interactive_fds(fail2ban_client_t)

files_search_pids(fail2ban_client_t)

auth_use_nsswitch(fail2ban_client_t)

libs_exec_ldconfig(fail2ban_client_t)

logging_getattr_all_logs(fail2ban_client_t)
logging_search_all_logs(fail2ban_client_t)
logging_read_audit_log(fail2ban_client_t)

userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)

optional_policy(`
    apache_read_log(fail2ban_client_t)
')
extract all compressed files to make viewing source code easier and updated oreon-backgrounds and oreon-release packages 2024-07-03 21:20:34 -07:00			`policy_module(fail2ban, 1.5.0)`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`attribute_role fail2ban_client_roles;`

			`type fail2ban_t;`
			`type fail2ban_exec_t;`
			`init_daemon_domain(fail2ban_t, fail2ban_exec_t)`

			`type fail2ban_initrc_exec_t;`
			`init_script_file(fail2ban_initrc_exec_t)`

			`type fail2ban_log_t;`
			`logging_log_file(fail2ban_log_t)`

			`type fail2ban_var_lib_t;`
			`files_type(fail2ban_var_lib_t)`

			`type fail2ban_var_run_t;`
			`files_pid_file(fail2ban_var_run_t)`

			`type fail2ban_tmp_t;`
			`files_tmp_file(fail2ban_tmp_t)`

			`type fail2ban_client_t;`
			`type fail2ban_client_exec_t;`
			`init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)`
			`role fail2ban_client_roles types fail2ban_client_t;`

			`########################################`
			`#`
			`# Server Local policy`
			`#`

			`allow fail2ban_t self:capability { dac_read_search sys_tty_config };`
			`allow fail2ban_t self:process { getpgid setsched signal };`
			`allow fail2ban_t self:fifo_file rw_fifo_file_perms;`
			`allow fail2ban_t self:unix_stream_socket { accept connectto listen };`
			`allow fail2ban_t self:tcp_socket { accept listen };`
			`allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;`

			`read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)`

			`allow fail2ban_t fail2ban_log_t:file watch;`
			`append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)`
			`create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)`
			`setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)`
			`logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)`

			`manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)`
			`manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)`
			`exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)`
			`files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })`

			`manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)`
			`manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)`

			`manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)`
			`manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)`
			`manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)`
			`files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)`

			`kernel_read_system_state(fail2ban_t)`
			`kernel_read_network_state(fail2ban_t)`
			`kernel_read_net_sysctls(fail2ban_t)`

			`corecmd_exec_bin(fail2ban_t)`
			`corecmd_exec_shell(fail2ban_t)`

			`corenet_all_recvfrom_netlabel(fail2ban_t)`
			`corenet_tcp_sendrecv_generic_if(fail2ban_t)`
			`corenet_tcp_sendrecv_generic_node(fail2ban_t)`

			`corenet_sendrecv_whois_client_packets(fail2ban_t)`
			`corenet_tcp_connect_whois_port(fail2ban_t)`
			`corenet_tcp_sendrecv_whois_port(fail2ban_t)`

			`dev_read_urand(fail2ban_t)`
			`dev_read_sysfs(fail2ban_t)`

			`domain_use_interactive_fds(fail2ban_t)`
			`domain_dontaudit_read_all_domains_state(fail2ban_t)`

			`files_read_etc_runtime_files(fail2ban_t)`
			`files_list_var(fail2ban_t)`
			`files_dontaudit_list_tmp(fail2ban_t)`

			`fs_getattr_all_fs(fail2ban_t)`

			`auth_use_nsswitch(fail2ban_t)`

			`logging_read_all_logs(fail2ban_t)`
			`logging_read_audit_log(fail2ban_t)`
			`logging_send_syslog_msg(fail2ban_t)`
			`logging_read_syslog_pid(fail2ban_t)`
			`logging_dontaudit_search_audit_logs(fail2ban_t)`
			`logging_mmap_generic_logs(fail2ban_t)`
			`logging_mmap_journal(fail2ban_t)`
			`logging_watch_audit_log_files(fail2ban_t)`
			`logging_watch_audit_log_dirs(fail2ban_t)`
			`logging_watch_generic_log_dirs(fail2ban_t)`
			`logging_watch_journal_dir(fail2ban_t)`

			`mta_send_mail(fail2ban_t)`

			`sysnet_manage_config(fail2ban_t)`

			optional_policy(`
			`apache_read_log(fail2ban_t)`
			`')`

			optional_policy(`
			`dbus_system_bus_client(fail2ban_t)`
			`dbus_connect_system_bus(fail2ban_t)`

			optional_policy(`
			`firewalld_dbus_chat(fail2ban_t)`
			`')`
			`')`

			optional_policy(`
			`ftp_read_log(fail2ban_t)`
			`')`

			optional_policy(`
			`gnome_dontaudit_search_config(fail2ban_t)`
			`')`

			optional_policy(`
			`iptables_domtrans(fail2ban_t)`
			`')`

			optional_policy(`
			`allow fail2ban_t self:capability sys_resource;`
			`allow fail2ban_t self:process setrlimit;`
			`journalctl_exec(fail2ban_t)`
			`')`

			optional_policy(`
			`libs_exec_ldconfig(fail2ban_t)`
			`')`

			optional_policy(`
			`rpm_exec(fail2ban_t)`
			`')`

			optional_policy(`
			`shorewall_domtrans(fail2ban_t)`
			`')`

			`########################################`
			`#`
			`# Client Local policy`
			`#`

			`allow fail2ban_client_t self:capability { dac_read_search };`
			`allow fail2ban_client_t self:unix_stream_socket { create connect write read };`

			`domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)`

			`allow fail2ban_client_t fail2ban_t:process { rlimitinh };`

			`dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;`
			`allow fail2ban_client_t fail2ban_var_run_t:dir write;`
			`stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)`

			`kernel_read_system_state(fail2ban_client_t)`

			`corecmd_exec_bin(fail2ban_client_t)`

			`dev_read_urand(fail2ban_client_t)`
			`dev_read_rand(fail2ban_client_t)`

			`domain_use_interactive_fds(fail2ban_client_t)`

			`files_search_pids(fail2ban_client_t)`

			`auth_use_nsswitch(fail2ban_client_t)`

			`libs_exec_ldconfig(fail2ban_client_t)`

			`logging_getattr_all_logs(fail2ban_client_t)`
			`logging_search_all_logs(fail2ban_client_t)`
			`logging_read_audit_log(fail2ban_client_t)`

			`userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)`
			`userdom_use_user_terminals(fail2ban_client_t)`

			optional_policy(`
			`apache_read_log(fail2ban_client_t)`
			`')`