From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 10 Nov 2012 17:50:16 +0100 Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and unix stream sockets In-Reply-To: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The fail2ban application leaks file descriptors and unix stream sockets when it invokes sendmail, so introduce the necessary dontaudit interfaces which will be used in a later patch against the mta policy. Signed-off-by: Sven Vermeulen --- fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++++ 1 files changed, 38 insertions(+), 0 deletions(-) diff --git a/fail2ban.if b/fail2ban.if index 733a689..9fbba62 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -68,6 +68,25 @@ interface(`fail2ban_run_client',` ##################################### ## +## Do not audit attempts to use +## fail2ban file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_use_fds',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:fd use; +') + +##################################### +## ## Connect to fail2ban over a ## unix domain stream socket. ## @@ -107,6 +126,25 @@ interface(`fail2ban_rw_inherited_tmp_files',` ######################################## ## +## Do not audit read and write fail2ban +## unix stream sockets. +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; +') + +######################################## +## ## Read and write fail2ban unix ## stream sockets. ## -- 1.7.8.6