Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A80BC43612 for ; Fri, 11 Jan 2019 15:30:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 698A720836 for ; Fri, 11 Jan 2019 15:30:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="gOd/4RZD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732209AbfAKPa4 (ORCPT ); Fri, 11 Jan 2019 10:30:56 -0500 Received: from mail-eopbgr700120.outbound.protection.outlook.com ([40.107.70.120]:34256 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731608AbfAKPaz (ORCPT ); Fri, 11 Jan 2019 10:30:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x6ZLQsrFFLwmds0jzKoqz2lpUmxvcdcXfLzGDJCHGgE=; b=gOd/4RZDFPS0khL7LGa6tHAG4ZwSpf3EQn7lepWA9Ssw7oEq9Q64a65ixkLoa1zpFCbHgzXI1hWCUXnKkezED78GvEy2+uJ5nqFDX1QcTOTNGGpRLuoBXpkP0PtASuJTfO6wnK+seGdl/SrPEfFc3BAvJETSChVimHzz7mduwm0= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1378.namprd15.prod.outlook.com (10.172.150.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.15; Fri, 11 Jan 2019 15:30:52 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::6d82:5bd:50b3:6a10]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::6d82:5bd:50b3:6a10%3]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019 15:30:52 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Add interface to start/stop iptables service Thread-Topic: [PATCH] Add interface to start/stop iptables service Thread-Index: AQHUqcKitQdd/ScAvEq7uH/h9EXDhg== Date: Fri, 11 Jan 2019 15:30:52 +0000 Message-ID: <20190111153011.27275-2-dsugar@tresys.com> References: <20190111153011.27275-1-dsugar@tresys.com> In-Reply-To: <20190111153011.27275-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN8PR12CA0034.namprd12.prod.outlook.com (2603:10b6:408:60::47) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR15MB1378;6:TT+PUcrYBycIaHZrCj/AsWem1gYvrBOnnyur/PNjiCTmLCahzVAOAAmaiU3WGrTas+C8Pk8HXU+/1zZvxDEhnZIoVX5MGHlhypjTtLfXpBRHzRqL8EIUqP2SqaIH+gPXTCrfaig0axszPaMOlSArB5ivMDsFUGTmM18MM/tJgUe01KqmIGL6wkDcyidI8ZkQHzeD3UMC3fg3LiMPyxV8bGdJ53x8yHcUjrgmgNW9MeLMEnmVnEpxDF6AsU+a23VU2HcXEJBYa0S9N6X2ugFybzzlVMi8CTTttVkn+4QJmGAZhgQd5oCEuC0TqTV87Z0YT6sfLkenXNKj1Js18xUeFVRxcfSJEM5Lt28z5qb+Ehcb0/DjCu1MCqzB1tmqInLQB/44Ha3Tz4vfJw3Gld8S97Q1f0hQFmNxQOaUcUEGxVIqee8ZKRdgWXmioIxfng2zxnv6jMPDkvpJtDoYAxBvBg==;5:fycMLmcpj5ohj5LaQa1IeUZXAljkyX/a6qbMtlSs/2pArcAD+eEk2WmeWZcXKRG0E1HcN5kP42qY82CNdHWjOxsoqpLoALJs4m00GMjfm57b1OUxPsrjW36oOkl/WC2hSCgl6icfmW8WJ7tQDu2sBjTAYPnmvhfmqUWXr63sItEyWsOGR3Yb2MyOFpK4uG14vr0oTv/Rev7+MOHjQLhseQ==;7:LRLTzvUpbGKgoeGsCN1EzC9+c8+/MP8l1Z2i4m+wauqjap8Ubgqp2Enno8vNeATswpBsMISz+SWhE6n8R/LdvNSEu9esV61cmqQY04peun2rHy9kbO2Wzv9kkETaWPxbYbtQFdOT8u/sc4qNTcuN+Q== x-ms-office365-filtering-correlation-id: 8086b4a5-f9e3-4cfe-b68f-08d677d9c53e x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1378; x-ms-traffictypediagnostic: BN6PR15MB1378: x-microsoft-antispam-prvs: x-forefront-prvs: 09144DB0F7 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39830400003)(376002)(366004)(136003)(346002)(396003)(189003)(199004)(316002)(86362001)(14444005)(6916009)(36756003)(66066001)(256004)(97736004)(508600001)(99286004)(14454004)(5660300001)(4744005)(71200400001)(71190400001)(105586002)(106356001)(2906002)(76176011)(26005)(102836004)(2351001)(6506007)(386003)(53936002)(6512007)(6116002)(3846002)(7736002)(11346002)(52116002)(486006)(476003)(2616005)(8676002)(81156014)(8936002)(186003)(2501003)(446003)(6486002)(81166006)(5640700003)(6436002)(305945005)(68736007)(1076003)(25786009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1378;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: yF0ftN9G2gTzXz6MfEdPXKhUhxNuhoFXMnNgkKiUQ1BkU8VJupJdxbfaH/GM5P0y4sKoeENbKxWrQTEsGQWC70gN51YDbDfr82uHQjQPAwk4iApI/fmtv72Bli9Eqsw4QiOVttuVnuFS7qc2MUs/s2vhEG4dds+rctWpjfRFZoIdDr5NQizET+NLcW1LiP6lQv/xw08HDaWP/YwMjzJc41n977W8FgoA/yHUuWdsdn/JFOT0gVdV+GzZ1qc7sFzTdf3Wh5tKQLaTApi5092TtWkB36E2P1hM0OH1GMjufcOa8mtUaXgOoHTLhf+kVK314zrCMqO6RZtzcMT4FTcA4NLbnj9B4QW83JKAMFVl9bKAmpy8p8tPDfT4xlsjOsTVAxLNEDfTBN7zuqLFIOIEe5Ta0cCsXn6qhlrajcwCGxE= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8086b4a5-f9e3-4cfe-b68f-08d677d9c53e X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2019 15:30:52.4177 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1378 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Dave Sugar --- policy/modules/system/iptables.if | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/ipta= bles.if index 725a6a3d..a36277a6 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',` dontaudit $1 iptables_runtime_t:file read; ') =20 +######################################## +## +## Allow specified domain to start and stop iptables service +## +## +## +## Domain allowed access. +## +## +# +interface(`iptables_startstop',` + gen_require(` + type iptables_unit_t; + class service { start stop }; + ') + + allow $1 iptables_unit_t:service { start stop }; +') + ######################################## ## ## Allow specified domain to get status of iptables service --=20 2.20.1