Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 21 Nov 2012 21:03:00
Message-Id: 1353531510.4a815585fae5dadf09c49f99096f5c4b72a479d6.SwifT@gentoo
1 commit: 4a815585fae5dadf09c49f99096f5c4b72a479d6
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Sat Nov 17 20:58:49 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed Nov 21 20:58:30 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4a815585
7
8 Introduce dontaudit interfaces for leaked fd and unix stream sockets
9
10 The fail2ban application leaks file descriptors and unix stream sockets when it
11 invokes sendmail, so introduce the necessary dontaudit interfaces which will be
12 used in a later patch against the mta and postfix policies.
13
14 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
15
16 ---
17 policy/modules/contrib/fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++
18 1 files changed, 38 insertions(+), 0 deletions(-)
19
20 diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
21 index 733a689..275fb9e 100644
22 --- a/policy/modules/contrib/fail2ban.if
23 +++ b/policy/modules/contrib/fail2ban.if
24 @@ -107,6 +107,44 @@ interface(`fail2ban_rw_inherited_tmp_files',`
25
26 ########################################
27 ## <summary>
28 +## Do not audit attempts to use
29 +## fail2ban file descriptors.
30 +## </summary>
31 +## <param name="domain">
32 +## <summary>
33 +## Domain to not audit.
34 +## </summary>
35 +## </param>
36 +#
37 +interface(`fail2ban_dontaudit_use_fds',`
38 + gen_require(`
39 + type fail2ban_t;
40 + ')
41 +
42 + dontaudit $1 fail2ban_t:fd use;
43 +')
44 +
45 +########################################
46 +## <summary>
47 +## Do not audit read and write
48 +## fail2ban unix stream sockets
49 +## </summary>
50 +## <param name="domain">
51 +## <summary>
52 +## Domain to not audit.
53 +## </summary>
54 +## </param>
55 +#
56 +interface(`fail2ban_dontaudit_rw_stream_sockets',`
57 + gen_require(`
58 + type fail2ban_t;
59 + ')
60 +
61 + dontaudit $1 fail2ban_t:unix_stream_socket { read write };
62 +')
63 +
64 +########################################
65 +## <summary>
66 ## Read and write fail2ban unix
67 ## stream sockets.
68 ## </summary>
Report Message
Find on MARC Find on Google Groups