Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 939F5C43387 for ; Mon, 7 Jan 2019 19:50:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 40CD32070C for ; Mon, 7 Jan 2019 19:50:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="IhqTsRDX" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727467AbfAGTu2 (ORCPT ); Mon, 7 Jan 2019 14:50:28 -0500 Received: from mail-eopbgr720135.outbound.protection.outlook.com ([40.107.72.135]:17872 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727426AbfAGTu2 (ORCPT ); Mon, 7 Jan 2019 14:50:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EYbbiwpeMrhGg5HsR+HKRXcpUxJcmmzgFaEinlSdlVE=; b=IhqTsRDXE21RsjZh6E2X8wu2KYLcwLDotQgj6uqUY7K6eyDI9ViQmsvXs6ZeuzuLIvwyb0nnwDzLU21Jl2E1Z+gNr9yzpYKnhkA+D1qSzPgZLOzsSM6cOp1NCbhu51AYx0aX/2YDeXPbwBjP01x08OT9Rkjwl6evoG7gT/oWAP4= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1667.namprd15.prod.outlook.com (10.175.132.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.6; Mon, 7 Jan 2019 19:50:24 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::6d82:5bd:50b3:6a10]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::6d82:5bd:50b3:6a10%3]) with mapi id 15.20.1495.011; Mon, 7 Jan 2019 19:50:24 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Add interface to get status of iptables service Thread-Topic: [PATCH] Add interface to get status of iptables service Thread-Index: AQHUpsI6jSJT1TTH+02eUHGzZLvbyg== Date: Mon, 7 Jan 2019 19:50:23 +0000 Message-ID: <20190107194942.21508-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN7PR11CA0013.namprd11.prod.outlook.com (2603:10b6:406:a8::26) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR15MB1667;6:vyH5vV6Y1BdReTsvRHqir1mlZ58ZrvXRC9kIGc2OAdlYInfcPC3oe1PJMJAPj6a3D4CxYyhZbrHIeo47O0JpKQs5HiWhkTlptArvrxrtOf3gmiehixX4tJbnxUSdrcr6NzZOU7D74IXPZwX1Xr2o+WJ7xb7+OhY+2gVetbMn0DkeSWK9EoKC5NXlc6jOix0ZAqQKqFDz9hzH2YOGWcHgZlS8xrq7qSvKlT+SoHQcRsHj8Sb4uP4+Ek/9rs5QIqr9kE1YhM+Az5CrRW1FqnrrX6kBbv9vcW1m9/BbPl5K3dD0amyvV6z5yvKXY9DktsjKwHO1zJYA3/l3CAQxdFv/6GwqJkCWad9D9Ja50w4IfQycgWZAab8kFvVXRGfzCS5gxBnktd1HTe9PVHIscSSitNjdb1396E/xQtjyBFof42EFj5OqRjITLQrvhvWn2lt7y2kCrYrxdTS3Nk/bnajlIg==;5:7uz3R5WGMq3aV3eVLRd8EU4awWm0KZOJ0K6wJspFejSAkOAAyIKkWgGP29+qjb96nS48VGWQSP7sRXgWRolMGLZfGNICEzA3B1RwWWDy74fi22K9bVf8MUoyRodv/fhfmBl46/mi9VZNH8Z0cZNZw6Lein2SxRkbi/XTf5OGXu/vY1OJjIAyf42Howb9ERIA4PZxKErJ4iaYuTSmNTDudw==;7:6YdDS10lssJVurepm8aAm7tK8e13oE0/TSUILXf9P2cK23Mv9OpGfko315Qdyb5k34WHoPogxW2JXImyvGTDDwbb5d8vTejcNvkCOI5vMqnoPZEtys5mXzSd6D7bixz5P1eZ5MeiBPPS/BVCgUrnCg== x-ms-office365-filtering-correlation-id: 0c811927-896d-4e7f-06af-08d674d95cec x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1667; x-ms-traffictypediagnostic: BN6PR15MB1667: x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(3002001)(3231475)(944501520)(52105112)(93006095)(93001095)(10201501046)(6041310)(2016111802025)(20161123558120)(20161123560045)(20161123562045)(20161123564045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1667;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1667; x-forefront-prvs: 0910AAF391 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(346002)(136003)(366004)(39830400003)(396003)(376002)(199004)(189003)(81156014)(7736002)(8936002)(81166006)(8676002)(71200400001)(71190400001)(2351001)(105586002)(508600001)(106356001)(6916009)(14454004)(5660300001)(99286004)(52116002)(25786009)(6116002)(3846002)(26005)(6512007)(68736007)(102836004)(66066001)(386003)(6506007)(316002)(5640700003)(86362001)(305945005)(6436002)(476003)(2616005)(186003)(6486002)(486006)(2906002)(36756003)(53936002)(256004)(97736004)(14444005)(1076003)(2501003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1667;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: GJfgywcapbQZG2E3g4L15WmBio5BJisUqlH07JJDmPKDqQ56qmOLAKHhGB9p0+9ic/fDcm/KXxHyOzVSPtrA/rfmz1yR1a2A2o3U5f0emiD3mv96QOCZRzjS+jCoQjBaTbwq+osJfzCFHo60PNMVdxH85qJXvD4UqEu3o5vy1LlJvIbxFUjsivMrreEXF50aaaS0w4ESvPV5jQ39uFHOMw02upCEHHpmVk9ym9YnNR3KHANrXKKEPA3n+RtSNVhdSJWpr+Q5D3K3h5ywkgSXLYQkfPAzd/i+pGanTrRwi9PDaIZzdJbXIz0QhDrKXiRL spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0c811927-896d-4e7f-06af-08d674d95cec X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jan 2019 19:50:23.8795 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1667 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Dave Sugar --- policy/modules/system/iptables.if | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/ipta= bles.if index 7d8f1821..725a6a3d 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',` dontaudit $1 iptables_runtime_t:file read; ') =20 +######################################## +## +## Allow specified domain to get status of iptables service +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_status',` + gen_require(` + type iptables_unit_t; + class service status; + ') + + allow $1 iptables_unit_t:service status; +') + ######################################## ## ## All of the rules required to --=20 2.20.1