diff --git a/Changelog b/Changelog index e41356a74..677e699b7 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,7 @@ chronyd (Miroslav Grepl) cobbler (Dominick Grift) dbadm (KaiGai Kohei) + denyhosts (Dan Walsh) nut (Stefan Schulze Frielinghaus, Miroslav Grepl) likewise (Scott Salley) pyicqt (Stefan Schulze Frielinghaus) diff --git a/policy/modules/services/denyhosts.fc b/policy/modules/services/denyhosts.fc new file mode 100644 index 000000000..257fef603 --- /dev/null +++ b/policy/modules/services/denyhosts.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0) + +/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0) + +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0) diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if new file mode 100644 index 000000000..a8cb6ebdd --- /dev/null +++ b/policy/modules/services/denyhosts.if @@ -0,0 +1,85 @@ +## DenyHosts SSH dictionary attack mitigation +## +##

+## DenyHosts is a script intended to be run by Linux +## system administrators to help thwart SSH server attacks +## (also known as dictionary based attacks and brute force +## attacks). +##

+##
+ +######################################## +## +## Execute a domain transition to run denyhosts. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`denyhosts_domtrans', ` + gen_require(` + type denyhosts_t, denyhosts_exec_t; + ') + + domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) +') + +######################################## +## +## Execute denyhost server in the denyhost domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`denyhosts_initrc_domtrans', ` + gen_require(` + type denyhosts_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an denyhosts environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`denyhosts_admin', ` + gen_require(` + type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; + type denyhosts_var_log_t, denyhosts_initrc_exec_t; + ') + + allow $1 denyhosts_t:process { ptrace signal_perms }; + ps_process_pattern($1, denyhosts_t) + + denyhosts_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 denyhosts_initrc_exec_t system_r; + allow $2 system_r; + + files_search_var_lib($1) + admin_pattern($1, denyhosts_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, denyhosts_var_log_t) + + files_search_locks($1) + admin_pattern($1, denyhosts_var_lock_t) +') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te new file mode 100644 index 000000000..016b858e4 --- /dev/null +++ b/policy/modules/services/denyhosts.te @@ -0,0 +1,73 @@ + +policy_module(denyhosts, 1.0.0) + +######################################## +# +# DenyHosts personal declarations. +# + +type denyhosts_t; +type denyhosts_exec_t; +init_daemon_domain(denyhosts_t, denyhosts_exec_t) + +type denyhosts_initrc_exec_t; +init_script_file(denyhosts_initrc_exec_t) + +type denyhosts_var_lib_t; +files_type(denyhosts_var_lib_t) + +type denyhosts_var_lock_t; +files_lock_file(denyhosts_var_lock_t) + +type denyhosts_var_log_t; +logging_log_file(denyhosts_var_log_t) + +######################################## +# +# DenyHosts personal policy. +# + +allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; +allow denyhosts_t self:tcp_socket create_socket_perms; +allow denyhosts_t self:udp_socket create_socket_perms; + +manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t) +files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file) + +manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t) +files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file }) + +append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t) +logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + +kernel_read_system_state(denyhosts_t) + +corecmd_exec_bin(denyhosts_t) + +corenet_all_recvfrom_unlabeled(denyhosts_t) +corenet_all_recvfrom_netlabel(denyhosts_t) +corenet_tcp_sendrecv_generic_if(denyhosts_t) +corenet_tcp_sendrecv_generic_node(denyhosts_t) +corenet_tcp_bind_generic_node(denyhosts_t) +corenet_tcp_connect_smtp_port(denyhosts_t) +corenet_sendrecv_smtp_client_packets(denyhosts_t) + +dev_read_urand(denyhosts_t) + +files_read_etc_files(denyhosts_t) + +# /var/log/secure +logging_read_generic_logs(denyhosts_t) + +miscfiles_read_localization(denyhosts_t) + +sysnet_manage_config(denyhosts_t) +sysnet_etc_filetrans_config(denyhosts_t) + +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +')