nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
60a3d5af67
selinux-refpolicy/policy/modules/services/fail2ban.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

280 lines
5.6 KiB
Plaintext
Raw Blame History

## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
########################################
## <summary>
## Execute a domain transition to run fail2ban.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`fail2ban_domtrans',`
gen_require(`
type fail2ban_t, fail2ban_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
########################################
## <summary>
## Execute the fail2ban client in
## the fail2ban client domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`fail2ban_domtrans_client',`
gen_require(`
type fail2ban_client_t, fail2ban_client_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
')
########################################
## <summary>
## Execute fail2ban client in the
## fail2ban client domain, and allow
## the specified role the fail2ban
## client domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`fail2ban_run_client',`
gen_require(`
attribute_role fail2ban_client_roles;
')
fail2ban_domtrans_client($1)
roleattribute $2 fail2ban_client_roles;
')
#####################################
## <summary>
## Connect to fail2ban over a
## unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_stream_connect',`
gen_require(`
type fail2ban_t, fail2ban_runtime_t;
')
files_search_runtime($1)
stream_connect_pattern($1, fail2ban_runtime_t, fail2ban_runtime_t, fail2ban_t)
')
########################################
## <summary>
## Read and write inherited temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_rw_inherited_tmp_files',`
gen_require(`
type fail2ban_tmp_t;
')
files_search_tmp($1)
allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Do not audit attempts to use
## fail2ban file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`fail2ban_dontaudit_use_fds',`
gen_require(`
type fail2ban_t;
')
dontaudit $1 fail2ban_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to read and
## write fail2ban unix stream sockets
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`fail2ban_dontaudit_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Read and write fail2ban unix
## stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_rw_stream_sockets',`
gen_require(`
type fail2ban_t;
')
allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
')
########################################
## <summary>
## Read fail2ban lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_read_lib_files',`
gen_require(`
type fail2ban_var_lib_t;
')
files_search_var_lib($1)
allow $1 fail2ban_var_lib_t:file read_file_perms;
')
########################################
## <summary>
## Read fail2ban log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fail2ban_read_log',`
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:file read_file_perms;
')
########################################
## <summary>
## Append fail2ban log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_append_log',`
gen_require(`
type fail2ban_log_t;
')
logging_search_logs($1)
allow $1 fail2ban_log_t:file append_file_perms;
')
########################################
## <summary>
## Read fail2ban pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fail2ban_read_pid_files',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## All of the rules required to
## administrate an fail2ban environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fail2ban_admin',`
gen_require(`
type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
type fail2ban_runtime_t, fail2ban_initrc_exec_t;
type fail2ban_var_lib_t, fail2ban_client_t;
')
allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
init_startstop_service($1, $2, fail2ban_t, fail2ban_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, fail2ban_log_t)
files_list_runtime($1)
admin_pattern($1, fail2ban_runtime_t)
files_search_var_lib($1)
admin_pattern($1, fail2ban_var_lib_t)
files_search_tmp($1)
admin_pattern($1, fail2ban_tmp_t)
fail2ban_run_client($1, $2)
')
Reference in New Issue View Git Blame Copy Permalink