Return-Path: <SRS0=lgLh=PT=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9A80BC43612
	for <selinux-refpolicy@archiver.kernel.org>; Fri, 11 Jan 2019 15:30:56 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 698A720836
	for <selinux-refpolicy@archiver.kernel.org>; Fri, 11 Jan 2019 15:30:56 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="gOd/4RZD"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732209AbfAKPa4 (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Fri, 11 Jan 2019 10:30:56 -0500
Received: from mail-eopbgr700120.outbound.protection.outlook.com ([40.107.70.120]:34256
        "EHLO NAM04-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1731608AbfAKPaz (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 11 Jan 2019 10:30:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=x6ZLQsrFFLwmds0jzKoqz2lpUmxvcdcXfLzGDJCHGgE=;
 b=gOd/4RZDFPS0khL7LGa6tHAG4ZwSpf3EQn7lepWA9Ssw7oEq9Q64a65ixkLoa1zpFCbHgzXI1hWCUXnKkezED78GvEy2+uJ5nqFDX1QcTOTNGGpRLuoBXpkP0PtASuJTfO6wnK+seGdl/SrPEfFc3BAvJETSChVimHzz7mduwm0=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1378.namprd15.prod.outlook.com (10.172.150.15) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1516.15; Fri, 11 Jan 2019 15:30:52 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::6d82:5bd:50b3:6a10]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::6d82:5bd:50b3:6a10%3]) with mapi id 15.20.1516.016; Fri, 11 Jan 2019
 15:30:52 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Add interface to start/stop iptables service
Thread-Topic: [PATCH] Add interface to start/stop iptables service
Thread-Index: AQHUqcKitQdd/ScAvEq7uH/h9EXDhg==
Date:   Fri, 11 Jan 2019 15:30:52 +0000
Message-ID: <20190111153011.27275-2-dsugar@tresys.com>
References: <20190111153011.27275-1-dsugar@tresys.com>
In-Reply-To: <20190111153011.27275-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BN8PR12CA0034.namprd12.prod.outlook.com
 (2603:10b6:408:60::47) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1378;6:TT+PUcrYBycIaHZrCj/AsWem1gYvrBOnnyur/PNjiCTmLCahzVAOAAmaiU3WGrTas+C8Pk8HXU+/1zZvxDEhnZIoVX5MGHlhypjTtLfXpBRHzRqL8EIUqP2SqaIH+gPXTCrfaig0axszPaMOlSArB5ivMDsFUGTmM18MM/tJgUe01KqmIGL6wkDcyidI8ZkQHzeD3UMC3fg3LiMPyxV8bGdJ53x8yHcUjrgmgNW9MeLMEnmVnEpxDF6AsU+a23VU2HcXEJBYa0S9N6X2ugFybzzlVMi8CTTttVkn+4QJmGAZhgQd5oCEuC0TqTV87Z0YT6sfLkenXNKj1Js18xUeFVRxcfSJEM5Lt28z5qb+Ehcb0/DjCu1MCqzB1tmqInLQB/44Ha3Tz4vfJw3Gld8S97Q1f0hQFmNxQOaUcUEGxVIqee8ZKRdgWXmioIxfng2zxnv6jMPDkvpJtDoYAxBvBg==;5:fycMLmcpj5ohj5LaQa1IeUZXAljkyX/a6qbMtlSs/2pArcAD+eEk2WmeWZcXKRG0E1HcN5kP42qY82CNdHWjOxsoqpLoALJs4m00GMjfm57b1OUxPsrjW36oOkl/WC2hSCgl6icfmW8WJ7tQDu2sBjTAYPnmvhfmqUWXr63sItEyWsOGR3Yb2MyOFpK4uG14vr0oTv/Rev7+MOHjQLhseQ==;7:LRLTzvUpbGKgoeGsCN1EzC9+c8+/MP8l1Z2i4m+wauqjap8Ubgqp2Enno8vNeATswpBsMISz+SWhE6n8R/LdvNSEu9esV61cmqQY04peun2rHy9kbO2Wzv9kkETaWPxbYbtQFdOT8u/sc4qNTcuN+Q==
x-ms-office365-filtering-correlation-id: 8086b4a5-f9e3-4cfe-b68f-08d677d9c53e
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1378;
x-ms-traffictypediagnostic: BN6PR15MB1378:
x-microsoft-antispam-prvs: <BN6PR15MB13788E055689C4D67EFFD048B9850@BN6PR15MB1378.namprd15.prod.outlook.com>
x-forefront-prvs: 09144DB0F7
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39830400003)(376002)(366004)(136003)(346002)(396003)(189003)(199004)(316002)(86362001)(14444005)(6916009)(36756003)(66066001)(256004)(97736004)(508600001)(99286004)(14454004)(5660300001)(4744005)(71200400001)(71190400001)(105586002)(106356001)(2906002)(76176011)(26005)(102836004)(2351001)(6506007)(386003)(53936002)(6512007)(6116002)(3846002)(7736002)(11346002)(52116002)(486006)(476003)(2616005)(8676002)(81156014)(8936002)(186003)(2501003)(446003)(6486002)(81166006)(5640700003)(6436002)(305945005)(68736007)(1076003)(25786009);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1378;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: yF0ftN9G2gTzXz6MfEdPXKhUhxNuhoFXMnNgkKiUQ1BkU8VJupJdxbfaH/GM5P0y4sKoeENbKxWrQTEsGQWC70gN51YDbDfr82uHQjQPAwk4iApI/fmtv72Bli9Eqsw4QiOVttuVnuFS7qc2MUs/s2vhEG4dds+rctWpjfRFZoIdDr5NQizET+NLcW1LiP6lQv/xw08HDaWP/YwMjzJc41n977W8FgoA/yHUuWdsdn/JFOT0gVdV+GzZ1qc7sFzTdf3Wh5tKQLaTApi5092TtWkB36E2P1hM0OH1GMjufcOa8mtUaXgOoHTLhf+kVK314zrCMqO6RZtzcMT4FTcA4NLbnj9B4QW83JKAMFVl9bKAmpy8p8tPDfT4xlsjOsTVAxLNEDfTBN7zuqLFIOIEe5Ta0cCsXn6qhlrajcwCGxE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8086b4a5-f9e3-4cfe-b68f-08d677d9c53e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2019 15:30:52.4177
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1378
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/iptables.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/iptables.if b/policy/modules/system/ipta=
bles.if
index 725a6a3d..a36277a6 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',`
 	dontaudit $1 iptables_runtime_t:file read;
 ')
=20
+########################################
+## <summary>
+##	Allow specified domain to start and stop iptables service
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_startstop',`
+	gen_require(`
+		type iptables_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 iptables_unit_t:service { start stop };
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to get status of iptables service
--=20
2.20.1