From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Nov 2012 21:58:49 +0100 Subject: [refpolicy] [PATCH v1 3/9] Introduce dontaudit interfaces for leaked fd and unix stream sockets In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353185935-17421-4-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The fail2ban application leaks file descriptors and unix stream sockets when it invokes sendmail, so introduce the necessary dontaudit interfaces which will be used in a later patch against the mta and postfix policies. Signed-off-by: Sven Vermeulen --- fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++++ 1 files changed, 38 insertions(+), 0 deletions(-) diff --git a/fail2ban.if b/fail2ban.if index 733a689..275fb9e 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -107,6 +107,44 @@ interface(`fail2ban_rw_inherited_tmp_files',` ######################################## ## +## Do not audit attempts to use +## fail2ban file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_use_fds',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:fd use; +') + +######################################## +## +## Do not audit read and write +## fail2ban unix stream sockets +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## ## Read and write fail2ban unix ## stream sockets. ## -- 1.7.8.6