Add DenyHosts from Dan Walsh.

2010-04-20 09:46:20 -04:00 · 2010-04-20 09:46:20 -04:00 · e07fbc004d
commit e07fbc004d
parent 44b3808ba5
4 changed files with 166 additions and 0 deletions
--- a/1
+++ b/1
@ -5,6 +5,7 @@
 	chronyd (Miroslav Grepl)
 	cobbler (Dominick Grift)
 	dbadm (KaiGai Kohei)
+	denyhosts (Dan Walsh)
 	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
 	likewise (Scott Salley)
 	pyicqt (Stefan Schulze Frielinghaus)
--- a/policy/modules/services/denyhosts.fc
+++ b/policy/modules/services/denyhosts.fc
@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts	--	gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
+
+/usr/bin/denyhosts\.py		--	gen_context(system_u:object_r:denyhosts_exec_t,s0)
+
+/var/lib/denyhosts(/.*)?		gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
+/var/lock/subsys/denyhosts	--	gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+/var/log/denyhosts(/.*)?		gen_context(system_u:object_r:denyhosts_var_log_t,s0)
--- a/policy/modules/services/denyhosts.if
+++ b/policy/modules/services/denyhosts.if
@ -0,0 +1,85 @@
+## <summary>DenyHosts SSH dictionary attack mitigation</summary>
+## <desc>
+##	<p>
+##	DenyHosts is a script intended to be run by Linux
+##	system administrators to help thwart SSH server attacks
+##	(also known as dictionary based attacks and brute force
+##	attacks).
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute a domain transition to run denyhosts.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`denyhosts_domtrans', `
+	gen_require(`
+		type denyhosts_t, denyhosts_exec_t;
+	')
+
+	domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
+')
+
+########################################
+## <summary>
+##	Execute denyhost server in the denyhost domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`denyhosts_initrc_domtrans', `
+	gen_require(`
+		type denyhosts_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an denyhosts environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`denyhosts_admin', `
+	gen_require(`
+		type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+	')
+
+	allow $1 denyhosts_t:process { ptrace signal_perms };
+	ps_process_pattern($1, denyhosts_t)
+
+	denyhosts_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 denyhosts_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, denyhosts_var_lib_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, denyhosts_var_log_t)
+
+	files_search_locks($1)
+	admin_pattern($1, denyhosts_var_lock_t)
+')
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@ -0,0 +1,73 @@
+
+policy_module(denyhosts, 1.0.0)
+
+########################################
+#
+# DenyHosts personal declarations.
+#
+
+type denyhosts_t;
+type denyhosts_exec_t;
+init_daemon_domain(denyhosts_t, denyhosts_exec_t)
+
+type denyhosts_initrc_exec_t;
+init_script_file(denyhosts_initrc_exec_t)
+
+type denyhosts_var_lib_t;
+files_type(denyhosts_var_lib_t)
+
+type denyhosts_var_lock_t;
+files_lock_file(denyhosts_var_lock_t)
+
+type denyhosts_var_log_t;
+logging_log_file(denyhosts_var_log_t)
+
+########################################
+#
+# DenyHosts personal policy.
+#
+
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
+files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
+
+manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
+
+append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+kernel_read_system_state(denyhosts_t)
+
+corecmd_exec_bin(denyhosts_t)
+
+corenet_all_recvfrom_unlabeled(denyhosts_t)
+corenet_all_recvfrom_netlabel(denyhosts_t)
+corenet_tcp_sendrecv_generic_if(denyhosts_t)
+corenet_tcp_sendrecv_generic_node(denyhosts_t)
+corenet_tcp_bind_generic_node(denyhosts_t)
+corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_sendrecv_smtp_client_packets(denyhosts_t)
+
+dev_read_urand(denyhosts_t)
+
+files_read_etc_files(denyhosts_t)
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
+
+optional_policy(`
+	cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')