diff options
Diffstat (limited to 'policy/modules/services/denyhosts.te')
| -rw-r--r-- | policy/modules/services/denyhosts.te | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te new file mode 100644 index 000000000..342e6231b --- /dev/null +++ b/policy/modules/services/denyhosts.te @@ -0,0 +1,73 @@ +policy_module(denyhosts, 1.2.0) + +######################################## +# +# Declarations +# + +type denyhosts_t; +type denyhosts_exec_t; +init_daemon_domain(denyhosts_t, denyhosts_exec_t) + +type denyhosts_initrc_exec_t; +init_script_file(denyhosts_initrc_exec_t) + +type denyhosts_var_lib_t; +files_type(denyhosts_var_lib_t) + +type denyhosts_var_lock_t; +files_lock_file(denyhosts_var_lock_t) + +type denyhosts_var_log_t; +logging_log_file(denyhosts_var_log_t) + +######################################## +# +# Local policy +# + +allow denyhosts_t self:capability sys_tty_config; +allow denyhosts_t self:fifo_file rw_fifo_file_perms; +allow denyhosts_t self:netlink_route_socket nlmsg_write; + +manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) + +manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) + +append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + +kernel_read_network_state(denyhosts_t) +kernel_read_system_state(denyhosts_t) + +corecmd_exec_bin(denyhosts_t) +corecmd_exec_shell(denyhosts_t) + +corenet_all_recvfrom_unlabeled(denyhosts_t) +corenet_all_recvfrom_netlabel(denyhosts_t) +corenet_tcp_sendrecv_generic_if(denyhosts_t) +corenet_tcp_sendrecv_generic_node(denyhosts_t) + +corenet_sendrecv_smtp_client_packets(denyhosts_t) +corenet_tcp_connect_smtp_port(denyhosts_t) +corenet_tcp_sendrecv_smtp_port(denyhosts_t) + +dev_read_urand(denyhosts_t) + +logging_read_generic_logs(denyhosts_t) +logging_send_syslog_msg(denyhosts_t) + +miscfiles_read_localization(denyhosts_t) + +sysnet_dns_name_resolve(denyhosts_t) +sysnet_manage_config(denyhosts_t) +sysnet_etc_filetrans_config(denyhosts_t) + +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') |