policy_module(denyhosts, 1.3.1) ######################################## # # Declarations # type denyhosts_t; type denyhosts_exec_t; init_daemon_domain(denyhosts_t, denyhosts_exec_t) type denyhosts_initrc_exec_t; init_script_file(denyhosts_initrc_exec_t) type denyhosts_var_lib_t; files_type(denyhosts_var_lib_t) type denyhosts_var_lock_t; files_lock_file(denyhosts_var_lock_t) type denyhosts_var_log_t; logging_log_file(denyhosts_var_log_t) ######################################## # # Local policy # allow denyhosts_t self:capability sys_tty_config; allow denyhosts_t self:fifo_file rw_fifo_file_perms; allow denyhosts_t self:netlink_route_socket nlmsg_write; manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) kernel_read_network_state(denyhosts_t) kernel_read_system_state(denyhosts_t) corecmd_exec_bin(denyhosts_t) corecmd_exec_shell(denyhosts_t) corenet_all_recvfrom_netlabel(denyhosts_t) corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_sendrecv_smtp_client_packets(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) dev_read_urand(denyhosts_t) logging_read_generic_logs(denyhosts_t) logging_send_syslog_msg(denyhosts_t) miscfiles_read_localization(denyhosts_t) sysnet_dns_name_resolve(denyhosts_t) sysnet_manage_config(denyhosts_t) sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ')