diff --git a/dist/mls/modules.conf b/dist/mls/modules.conf
index c60575d2a4..c184477917 100644
--- a/dist/mls/modules.conf
+++ b/dist/mls/modules.conf
@@ -805,13 +805,6 @@ entropyd = module
#
exim = module
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
# Layer: services
# Module: fetchmail
#
diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf
index bd92e2ff12..ed23d90f19 100644
--- a/dist/targeted/modules.conf
+++ b/dist/targeted/modules.conf
@@ -946,13 +946,6 @@ entropyd = module
#
exim = module
-# Layer: services
-# Module: fail2ban
-#
-# daiemon that bans IP that makes too many password failures
-#
-fail2ban = module
-
# Layer: services
# Module: fcoe
#
diff --git a/policy/modules/contrib/fail2ban.fc b/policy/modules/contrib/fail2ban.fc
deleted file mode 100644
index 1379b6eef4..0000000000
--- a/policy/modules/contrib/fail2ban.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
-
-/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
-/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
-/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
-
-/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
-/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0)
-/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/contrib/fail2ban.if b/policy/modules/contrib/fail2ban.if
index 94e1936060..b5b6a65c5e 100644
--- a/policy/modules/contrib/fail2ban.if
+++ b/policy/modules/contrib/fail2ban.if
@@ -10,13 +10,15 @@
##
##
#
-interface(`fail2ban_domtrans',`
- gen_require(`
- type fail2ban_t, fail2ban_exec_t;
+ifndef(`fail2ban_domtrans',`
+ interface(`fail2ban_domtrans',`
+ gen_require(`
+ type fail2ban_t, fail2ban_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
')
#######################################
@@ -30,13 +32,15 @@ interface(`fail2ban_domtrans',`
##
##
#
-interface(`fail2ban_domtrans_client',`
- gen_require(`
- type fail2ban_client_t, fail2ban_client_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+ifndef(`fail2ban_domtrans_client',`
+ interface(`fail2ban_domtrans_client',`
+ gen_require(`
+ type fail2ban_client_t, fail2ban_client_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+ ')
')
#######################################
@@ -57,13 +61,15 @@ interface(`fail2ban_domtrans_client',`
##
##
#
-interface(`fail2ban_run_client',`
- gen_require(`
- attribute_role fail2ban_client_roles;
- ')
-
- fail2ban_domtrans_client($1)
- roleattribute $2 fail2ban_client_roles;
+ifndef(`fail2ban_run_client',`
+ interface(`fail2ban_run_client',`
+ gen_require(`
+ attribute_role fail2ban_client_roles;
+ ')
+
+ fail2ban_domtrans_client($1)
+ roleattribute $2 fail2ban_client_roles;
+ ')
')
#####################################
@@ -77,13 +83,15 @@ interface(`fail2ban_run_client',`
##
##
#
-interface(`fail2ban_stream_connect',`
- gen_require(`
- type fail2ban_t, fail2ban_var_run_t;
+ifndef(`fail2ban_stream_connect',`
+ interface(`fail2ban_stream_connect',`
+ gen_require(`
+ type fail2ban_t, fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
')
-
- files_search_pids($1)
- stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
')
########################################
@@ -96,13 +104,15 @@ interface(`fail2ban_stream_connect',`
##
##
#
-interface(`fail2ban_rw_inherited_tmp_files',`
- gen_require(`
- type fail2ban_tmp_t;
+ifndef(`fail2ban_rw_inherited_tmp_files',`
+ interface(`fail2ban_rw_inherited_tmp_files',`
+ gen_require(`
+ type fail2ban_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
-
- files_search_tmp($1)
- allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
')
########################################
@@ -115,12 +125,14 @@ interface(`fail2ban_rw_inherited_tmp_files',`
##
##
#
-interface(`fail2ban_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+ifndef(`fail2ban_rw_stream_sockets',`
+ interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+ ')
')
#######################################
@@ -134,12 +146,14 @@ interface(`fail2ban_rw_stream_sockets',`
##
##
#
-interface(`fail2ban_dontaudit_use_fds',`
- gen_require(`
- type fail2ban_t;
- ')
+ifndef(`fail2ban_dontaudit_use_fds',`
+ interface(`fail2ban_dontaudit_use_fds',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- dontaudit $1 fail2ban_t:fd use;
+ dontaudit $1 fail2ban_t:fd use;
+ ')
')
#######################################
@@ -153,12 +167,14 @@ interface(`fail2ban_dontaudit_use_fds',`
##
##
#
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
- gen_require(`
- type fail2ban_t;
- ')
+ifndef(`fail2ban_dontaudit_rw_stream_sockets',`
+ interface(`fail2ban_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ ')
')
########################################
@@ -171,13 +187,15 @@ interface(`fail2ban_dontaudit_rw_stream_sockets',`
##
##
#
-interface(`fail2ban_read_lib_files',`
- gen_require(`
- type fail2ban_var_lib_t;
+ifndef(`fail2ban_read_lib_files',`
+ interface(`fail2ban_read_lib_files',`
+ gen_require(`
+ type fail2ban_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
-
- files_search_var_lib($1)
- read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
')
########################################
@@ -191,14 +209,16 @@ interface(`fail2ban_read_lib_files',`
##
##
#
-interface(`fail2ban_read_log',`
- gen_require(`
- type fail2ban_log_t;
+ifndef(`fail2ban_read_log',`
+ interface(`fail2ban_read_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file read_file_perms;
')
-
- logging_search_logs($1)
- allow $1 fail2ban_log_t:dir list_dir_perms;
- allow $1 fail2ban_log_t:file read_file_perms;
')
########################################
@@ -212,14 +232,16 @@ interface(`fail2ban_read_log',`
##
##
#
-interface(`fail2ban_append_log',`
- gen_require(`
- type fail2ban_log_t;
+ifndef(`fail2ban_append_log',`
+ interface(`fail2ban_append_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file append_file_perms;
')
-
- logging_search_logs($1)
- allow $1 fail2ban_log_t:dir list_dir_perms;
- allow $1 fail2ban_log_t:file append_file_perms;
')
########################################
@@ -232,13 +254,15 @@ interface(`fail2ban_append_log',`
##
##
#
-interface(`fail2ban_read_pid_files',`
- gen_require(`
- type fail2ban_var_run_t;
+ifndef(`fail2ban_read_pid_files',`
+ interface(`fail2ban_read_pid_files',`
+ gen_require(`
+ type fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fail2ban_var_run_t:file read_file_perms;
')
-
- files_search_pids($1)
- allow $1 fail2ban_var_run_t:file read_file_perms;
')
########################################
@@ -251,14 +275,16 @@ interface(`fail2ban_read_pid_files',`
##
##
#
-interface(`fail2ban_dontaudit_leaks',`
- gen_require(`
- type fail2ban_t;
+ifndef(`fail2ban_dontaudit_leaks',`
+ interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
-
- dontaudit $1 fail2ban_t:tcp_socket { read write };
- dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
########################################
@@ -278,36 +304,38 @@ interface(`fail2ban_dontaudit_leaks',`
##
##
#
-interface(`fail2ban_admin',`
- gen_require(`
- type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
- type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
- type fail2ban_client_t;
- ')
+ifndef(`fail2ban_admin',`
+ interface(`fail2ban_admin',`
+ gen_require(`
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+ type fail2ban_client_t;
+ ')
- allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
- ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+ ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
- tunable_policy(`deny_ptrace',`',`
- allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
- ')
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+ ')
- init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 fail2ban_initrc_exec_t system_r;
- allow $2 system_r;
+ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fail2ban_initrc_exec_t system_r;
+ allow $2 system_r;
- logging_list_logs($1)
- admin_pattern($1, fail2ban_log_t)
+ logging_list_logs($1)
+ admin_pattern($1, fail2ban_log_t)
- files_list_pids($1)
- admin_pattern($1, fail2ban_var_run_t)
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
- files_list_var_lib($1)
- admin_pattern($1, fail2ban_var_lib_t)
+ files_list_var_lib($1)
+ admin_pattern($1, fail2ban_var_lib_t)
- files_list_tmp($1)
- admin_pattern($1, fail2ban_tmp_t)
+ files_list_tmp($1)
+ admin_pattern($1, fail2ban_tmp_t)
- fail2ban_run_client($1, $2)
+ fail2ban_run_client($1, $2)
+ ')
')
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
deleted file mode 100644
index 92615cade1..0000000000
--- a/policy/modules/contrib/fail2ban.te
+++ /dev/null
@@ -1,195 +0,0 @@
-policy_module(fail2ban, 1.5.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute_role fail2ban_client_roles;
-
-type fail2ban_t;
-type fail2ban_exec_t;
-init_daemon_domain(fail2ban_t, fail2ban_exec_t)
-
-type fail2ban_initrc_exec_t;
-init_script_file(fail2ban_initrc_exec_t)
-
-type fail2ban_log_t;
-logging_log_file(fail2ban_log_t)
-
-type fail2ban_var_lib_t;
-files_type(fail2ban_var_lib_t)
-
-type fail2ban_var_run_t;
-files_pid_file(fail2ban_var_run_t)
-
-type fail2ban_tmp_t;
-files_tmp_file(fail2ban_tmp_t)
-
-type fail2ban_client_t;
-type fail2ban_client_exec_t;
-init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
-role fail2ban_client_roles types fail2ban_client_t;
-
-########################################
-#
-# Server Local policy
-#
-
-allow fail2ban_t self:capability { dac_read_search sys_tty_config };
-allow fail2ban_t self:process { getpgid setsched signal };
-allow fail2ban_t self:fifo_file rw_fifo_file_perms;
-allow fail2ban_t self:unix_stream_socket { accept connectto listen };
-allow fail2ban_t self:tcp_socket { accept listen };
-allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
-
-read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
-
-allow fail2ban_t fail2ban_log_t:file watch;
-append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
-create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
-setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
-logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
-
-manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
-
-manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
-manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
-
-manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
-
-kernel_read_system_state(fail2ban_t)
-kernel_read_network_state(fail2ban_t)
-kernel_read_net_sysctls(fail2ban_t)
-
-corecmd_exec_bin(fail2ban_t)
-corecmd_exec_shell(fail2ban_t)
-
-corenet_all_recvfrom_netlabel(fail2ban_t)
-corenet_tcp_sendrecv_generic_if(fail2ban_t)
-corenet_tcp_sendrecv_generic_node(fail2ban_t)
-
-corenet_sendrecv_whois_client_packets(fail2ban_t)
-corenet_tcp_connect_whois_port(fail2ban_t)
-corenet_tcp_sendrecv_whois_port(fail2ban_t)
-
-dev_read_urand(fail2ban_t)
-dev_read_sysfs(fail2ban_t)
-
-domain_use_interactive_fds(fail2ban_t)
-domain_dontaudit_read_all_domains_state(fail2ban_t)
-
-files_read_etc_runtime_files(fail2ban_t)
-files_list_var(fail2ban_t)
-files_dontaudit_list_tmp(fail2ban_t)
-
-fs_getattr_all_fs(fail2ban_t)
-
-auth_use_nsswitch(fail2ban_t)
-
-logging_read_all_logs(fail2ban_t)
-logging_read_audit_log(fail2ban_t)
-logging_send_syslog_msg(fail2ban_t)
-logging_read_syslog_pid(fail2ban_t)
-logging_dontaudit_search_audit_logs(fail2ban_t)
-logging_mmap_generic_logs(fail2ban_t)
-logging_mmap_journal(fail2ban_t)
-logging_watch_audit_log_files(fail2ban_t)
-logging_watch_audit_log_dirs(fail2ban_t)
-logging_watch_generic_log_dirs(fail2ban_t)
-logging_watch_journal_dir(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
-
-sysnet_manage_config(fail2ban_t)
-
-optional_policy(`
- apache_read_log(fail2ban_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(fail2ban_t)
- dbus_connect_system_bus(fail2ban_t)
-
- optional_policy(`
- firewalld_dbus_chat(fail2ban_t)
- ')
-')
-
-optional_policy(`
- ftp_read_log(fail2ban_t)
-')
-
-optional_policy(`
- gnome_dontaudit_search_config(fail2ban_t)
-')
-
-optional_policy(`
- iptables_domtrans(fail2ban_t)
-')
-
-optional_policy(`
- allow fail2ban_t self:capability sys_resource;
- allow fail2ban_t self:process setrlimit;
- journalctl_exec(fail2ban_t)
-')
-
-optional_policy(`
- libs_exec_ldconfig(fail2ban_t)
-')
-
-optional_policy(`
- rpm_exec(fail2ban_t)
-')
-
-optional_policy(`
- shorewall_domtrans(fail2ban_t)
-')
-
-########################################
-#
-# Client Local policy
-#
-
-allow fail2ban_client_t self:capability { dac_read_search };
-allow fail2ban_client_t self:unix_stream_socket { create connect write read };
-
-domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
-
-allow fail2ban_client_t fail2ban_t:process { rlimitinh };
-
-dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
-allow fail2ban_client_t fail2ban_var_run_t:dir write;
-stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
-
-kernel_read_system_state(fail2ban_client_t)
-
-corecmd_exec_bin(fail2ban_client_t)
-
-dev_read_urand(fail2ban_client_t)
-dev_read_rand(fail2ban_client_t)
-
-domain_use_interactive_fds(fail2ban_client_t)
-
-files_search_pids(fail2ban_client_t)
-
-auth_use_nsswitch(fail2ban_client_t)
-
-libs_exec_ldconfig(fail2ban_client_t)
-
-logging_getattr_all_logs(fail2ban_client_t)
-logging_search_all_logs(fail2ban_client_t)
-logging_read_audit_log(fail2ban_client_t)
-
-userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
-userdom_use_user_terminals(fail2ban_client_t)
-
-optional_policy(`
- apache_read_log(fail2ban_client_t)
-')