Remove the fail2ban module sources

The package now maintains its own selinux policy module.
zpytela · Oct 11, 2024 · 8663090 · 8663090
1 parent dca5983
commit 8663090
Show file tree

Hide file tree

Showing 5 changed files with 132 additions and 322 deletions.
diff --git a/dist/mls/modules.conf b/dist/mls/modules.conf
@@ -805,13 +805,6 @@ entropyd = module
 # 
 exim = module
 
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-# 
-fail2ban = module
-
 # Layer: services
 # Module: fetchmail
 #

diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf
@@ -946,13 +946,6 @@ entropyd = module
 # 
 exim = module
 
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-# 
-fail2ban = module
-
 # Layer: services
 # Module: fcoe
 #

diff --git a/policy/modules/contrib/fail2ban.fc b/policy/modules/contrib/fail2ban.fc
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
@@ -10,13 +10,15 @@
 ## </summary>
 ## </param>
 #
-interface(`fail2ban_domtrans',`
-	gen_require(`
-		type fail2ban_t, fail2ban_exec_t;
+ifndef(`fail2ban_domtrans',`
+	interface(`fail2ban_domtrans',`
+		gen_require(`
+			type fail2ban_t, fail2ban_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
 ')
 
 #######################################
@@ -30,13 +32,15 @@ interface(`fail2ban_domtrans',`
 ##  </summary>
 ## </param>
 #
-interface(`fail2ban_domtrans_client',`
-    gen_require(`
-        type fail2ban_client_t, fail2ban_client_exec_t;
-    ')
-
-    corecmd_search_bin($1)
-    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+ifndef(`fail2ban_domtrans_client',`
+	interface(`fail2ban_domtrans_client',`
+	    gen_require(`
+	        type fail2ban_client_t, fail2ban_client_exec_t;
+	    ')
+
+	    corecmd_search_bin($1)
+	    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+	')
 ')
 
 #######################################
@@ -57,13 +61,15 @@ interface(`fail2ban_domtrans_client',`
 ##  </summary>
 ## </param>
 #
-interface(`fail2ban_run_client',`
-    gen_require(`
-        attribute_role fail2ban_client_roles;
-    ')
-
-    fail2ban_domtrans_client($1)
-    roleattribute $2 fail2ban_client_roles;
+ifndef(`fail2ban_run_client',`
+	interface(`fail2ban_run_client',`
+	    gen_require(`
+	        attribute_role fail2ban_client_roles;
+	    ')
+
+	    fail2ban_domtrans_client($1)
+	    roleattribute $2 fail2ban_client_roles;
+	')
 ')
 
 #####################################
@@ -77,13 +83,15 @@ interface(`fail2ban_run_client',`
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_stream_connect',`
-	gen_require(`
-		type fail2ban_t, fail2ban_var_run_t;
+ifndef(`fail2ban_stream_connect',`
+	interface(`fail2ban_stream_connect',`
+		gen_require(`
+			type fail2ban_t, fail2ban_var_run_t;
+		')
+
+		files_search_pids($1)
+		stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
 ')
 
 ########################################
@@ -96,13 +104,15 @@ interface(`fail2ban_stream_connect',`
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_rw_inherited_tmp_files',`
-	gen_require(`
-		type fail2ban_tmp_t;
+ifndef(`fail2ban_rw_inherited_tmp_files',`
+	interface(`fail2ban_rw_inherited_tmp_files',`
+		gen_require(`
+			type fail2ban_tmp_t;
+		')
+
+		files_search_tmp($1)
+		allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
 	')
-
-	files_search_tmp($1)
-	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
@@ -115,12 +125,14 @@ interface(`fail2ban_rw_inherited_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_rw_stream_sockets',`
-	gen_require(`
-		type fail2ban_t;
-	')
+ifndef(`fail2ban_rw_stream_sockets',`
+	interface(`fail2ban_rw_stream_sockets',`
+		gen_require(`
+			type fail2ban_t;
+		')
 
-	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+		allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+	')
 ')
 
 #######################################
@@ -134,12 +146,14 @@ interface(`fail2ban_rw_stream_sockets',`
 ##  </summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_use_fds',`
-    gen_require(`
-        type fail2ban_t;
-    ')
+ifndef(`fail2ban_dontaudit_use_fds',`
+	interface(`fail2ban_dontaudit_use_fds',`
+	    gen_require(`
+	        type fail2ban_t;
+	    ')
 
-    dontaudit $1 fail2ban_t:fd use;
+	    dontaudit $1 fail2ban_t:fd use;
+	')
 ')
 
 #######################################
@@ -153,12 +167,14 @@ interface(`fail2ban_dontaudit_use_fds',`
 ##  </summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
-    gen_require(`
-        type fail2ban_t;
-    ')
+ifndef(`fail2ban_dontaudit_rw_stream_sockets',`
+	interface(`fail2ban_dontaudit_rw_stream_sockets',`
+	    gen_require(`
+	        type fail2ban_t;
+	    ')
 
-    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+	    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+	')
 ')
 
 ########################################
@@ -171,13 +187,15 @@ interface(`fail2ban_dontaudit_rw_stream_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_read_lib_files',`
-	gen_require(`
-		type fail2ban_var_lib_t;
+ifndef(`fail2ban_read_lib_files',`
+	interface(`fail2ban_read_lib_files',`
+		gen_require(`
+			type fail2ban_var_lib_t;
+		')
+
+		files_search_var_lib($1)
+		read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
 	')
-
-	files_search_var_lib($1)
-	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
 ')
 
 ########################################
@@ -191,14 +209,16 @@ interface(`fail2ban_read_lib_files',`
 ## </param>
 ## <rolecap/>
 #
-interface(`fail2ban_read_log',`
-	gen_require(`
-		type fail2ban_log_t;
+ifndef(`fail2ban_read_log',`
+	interface(`fail2ban_read_log',`
+		gen_require(`
+			type fail2ban_log_t;
+		')
+
+		logging_search_logs($1)
+		allow $1 fail2ban_log_t:dir list_dir_perms;
+		allow $1 fail2ban_log_t:file read_file_perms;
 	')
-
-	logging_search_logs($1)
-	allow $1 fail2ban_log_t:dir list_dir_perms;
-	allow $1 fail2ban_log_t:file read_file_perms;
 ')
 
 ########################################
@@ -212,14 +232,16 @@ interface(`fail2ban_read_log',`
 ## 	</summary>
 ## </param>
 #
-interface(`fail2ban_append_log',`
-	gen_require(`
-		type fail2ban_log_t;
+ifndef(`fail2ban_append_log',`
+	interface(`fail2ban_append_log',`
+		gen_require(`
+			type fail2ban_log_t;
+		')
+
+		logging_search_logs($1)
+		allow $1 fail2ban_log_t:dir list_dir_perms;
+		allow $1 fail2ban_log_t:file append_file_perms;
 	')
-
-	logging_search_logs($1)
-	allow $1 fail2ban_log_t:dir list_dir_perms;
-	allow $1 fail2ban_log_t:file append_file_perms;
 ')
 
 ########################################
@@ -232,13 +254,15 @@ interface(`fail2ban_append_log',`
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_read_pid_files',`
-	gen_require(`
-		type fail2ban_var_run_t;
+ifndef(`fail2ban_read_pid_files',`
+	interface(`fail2ban_read_pid_files',`
+		gen_require(`
+			type fail2ban_var_run_t;
+		')
+
+		files_search_pids($1)
+		allow $1 fail2ban_var_run_t:file read_file_perms;
 	')
-
-	files_search_pids($1)
-	allow $1 fail2ban_var_run_t:file read_file_perms;
 ')
 
 ########################################
@@ -251,14 +275,16 @@ interface(`fail2ban_read_pid_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fail2ban_dontaudit_leaks',`
-	gen_require(`
-		type fail2ban_t;
+ifndef(`fail2ban_dontaudit_leaks',`
+	interface(`fail2ban_dontaudit_leaks',`
+		gen_require(`
+			type fail2ban_t;
+		')
+
+	 	dontaudit $1 fail2ban_t:tcp_socket { read write };
+		dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+		dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 	')
-
- 	dontaudit $1 fail2ban_t:tcp_socket { read write };
-	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
-	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 ')
 
 ########################################
@@ -278,36 +304,38 @@ interface(`fail2ban_dontaudit_leaks',`
 ## </param>
 ## <rolecap/>
 #
-interface(`fail2ban_admin',`
-	gen_require(`
-		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
-		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
-		type fail2ban_client_t;
-	')
+ifndef(`fail2ban_admin',`
+	interface(`fail2ban_admin',`
+		gen_require(`
+			type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+			type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+			type fail2ban_client_t;
+		')
 
-	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
-	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+		allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+		ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
 
-	tunable_policy(`deny_ptrace',`',`
-		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
-	')
+		tunable_policy(`deny_ptrace',`',`
+			allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+		')
 
-	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 fail2ban_initrc_exec_t system_r;
-	allow $2 system_r;
+		init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+		domain_system_change_exemption($1)
+		role_transition $2 fail2ban_initrc_exec_t system_r;
+		allow $2 system_r;
 
-	logging_list_logs($1)
-	admin_pattern($1, fail2ban_log_t)
+		logging_list_logs($1)
+		admin_pattern($1, fail2ban_log_t)
 
-	files_list_pids($1)
-	admin_pattern($1, fail2ban_var_run_t)
+		files_list_pids($1)
+		admin_pattern($1, fail2ban_var_run_t)
 
-	files_list_var_lib($1)
-	admin_pattern($1, fail2ban_var_lib_t)
+		files_list_var_lib($1)
+		admin_pattern($1, fail2ban_var_lib_t)
 
-	files_list_tmp($1)
-	admin_pattern($1, fail2ban_tmp_t)
+		files_list_tmp($1)
+		admin_pattern($1, fail2ban_tmp_t)
 
-	fail2ban_run_client($1, $2)
+		fail2ban_run_client($1, $2)
+	')
 ')