1 |
commit: 4a815585fae5dadf09c49f99096f5c4b72a479d6 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Nov 17 20:58:49 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 21 20:58:30 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4a815585 |
7 |
|
8 |
Introduce dontaudit interfaces for leaked fd and unix stream sockets |
9 |
|
10 |
The fail2ban application leaks file descriptors and unix stream sockets when it |
11 |
invokes sendmail, so introduce the necessary dontaudit interfaces which will be |
12 |
used in a later patch against the mta and postfix policies. |
13 |
|
14 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++ |
18 |
1 files changed, 38 insertions(+), 0 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if |
21 |
index 733a689..275fb9e 100644 |
22 |
--- a/policy/modules/contrib/fail2ban.if |
23 |
+++ b/policy/modules/contrib/fail2ban.if |
24 |
@@ -107,6 +107,44 @@ interface(`fail2ban_rw_inherited_tmp_files',` |
25 |
|
26 |
######################################## |
27 |
## <summary> |
28 |
+## Do not audit attempts to use |
29 |
+## fail2ban file descriptors. |
30 |
+## </summary> |
31 |
+## <param name="domain"> |
32 |
+## <summary> |
33 |
+## Domain to not audit. |
34 |
+## </summary> |
35 |
+## </param> |
36 |
+# |
37 |
+interface(`fail2ban_dontaudit_use_fds',` |
38 |
+ gen_require(` |
39 |
+ type fail2ban_t; |
40 |
+ ') |
41 |
+ |
42 |
+ dontaudit $1 fail2ban_t:fd use; |
43 |
+') |
44 |
+ |
45 |
+######################################## |
46 |
+## <summary> |
47 |
+## Do not audit read and write |
48 |
+## fail2ban unix stream sockets |
49 |
+## </summary> |
50 |
+## <param name="domain"> |
51 |
+## <summary> |
52 |
+## Domain to not audit. |
53 |
+## </summary> |
54 |
+## </param> |
55 |
+# |
56 |
+interface(`fail2ban_dontaudit_rw_stream_sockets',` |
57 |
+ gen_require(` |
58 |
+ type fail2ban_t; |
59 |
+ ') |
60 |
+ |
61 |
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; |
62 |
+') |
63 |
+ |
64 |
+######################################## |
65 |
+## <summary> |
66 |
## Read and write fail2ban unix |
67 |
## stream sockets. |
68 |
## </summary> |