From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 14 Nov 2012 19:06:13 +0100
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and
 unix stream sockets
In-Reply-To: <1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be>
References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be>
	<1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1352916373.3654.3.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Sat, 2012-11-10 at 17:50 +0100, Sven Vermeulen wrote:
> The fail2ban application leaks file descriptors and unix stream sockets when it
> invokes sendmail, so introduce the necessary dontaudit interfaces which will be
> used in a later patch against the mta policy.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  fail2ban.if |   38 ++++++++++++++++++++++++++++++++++++++
>  1 files changed, 38 insertions(+), 0 deletions(-)
> 
> diff --git a/fail2ban.if b/fail2ban.if
> index 733a689..9fbba62 100644
> --- a/fail2ban.if
> +++ b/fail2ban.if
> @@ -68,6 +68,25 @@ interface(`fail2ban_run_client',`
>  
>  #####################################
>  ## <summary>
> +##	Do not audit attempts to use
> +##	fail2ban file descriptors.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`fail2ban_dontaudit_use_fds',`
> +	gen_require(`
> +		type fail2ban_t;
> +	')
> +
> +	dontaudit $1 fail2ban_t:fd use;
> +')
> +
> +#####################################
> +## <summary>
>  ##	Connect to fail2ban over a
>  ##	unix domain stream socket.
>  ## </summary>
> @@ -107,6 +126,25 @@ interface(`fail2ban_rw_inherited_tmp_files',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit read and write fail2ban
> +##	unix stream sockets.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`fail2ban_dontaudit_rw_stream_sockets',`
> +	gen_require(`
> +		type fail2ban_t;
> +	')
> +
> +	dontaudit $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
> +')

We should read create a rw_inherited_socket_perms permission set and use
that instead in my honest opinion

> +########################################
> +## <summary>
>  ##	Read and write fail2ban unix
>  ##	stream sockets.
>  ## </summary>