From: cgzones <[email protected]>
---
policy/modules/system/iptables.fc | 74 +++++++++++++++++++--------------------
1 file changed, 37 insertions(+), 37 deletions(-)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 7e71bdb4b..181eee95c 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,41 +1,41 @@
-/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
+/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
--
2.11.0
From: cgzones <[email protected]>
---
policy/modules/system/iptables.fc | 6 +++---
policy/modules/system/iptables.if | 33 ++++++++++++++++-----------------
policy/modules/system/iptables.te | 24 +++++++-----------------
3 files changed, 26 insertions(+), 37 deletions(-)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 181eee95c..60ad98374 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -4,6 +4,9 @@
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
+
/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -36,6 +39,3 @@
/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 6321f8c4b..7d8f18217 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -1,4 +1,4 @@
-## <summary>Policy for iptables.</summary>
+## <summary>Administration tool for IP packet filtering and NAT.</summary>
########################################
## <summary>
@@ -68,7 +68,7 @@ interface(`iptables_exec',`
can_exec($1, iptables_exec_t)
')
-#####################################
+########################################
## <summary>
## Execute iptables init scripts in
## the init script domain.
@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
-#####################################
+########################################
## <summary>
## Set the attributes of iptables config files.
## </summary>
@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
allow $1 iptables_conf_t:file setattr;
')
-#####################################
+########################################
## <summary>
## Read iptables config files.
## </summary>
@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
-#####################################
+########################################
## <summary>
## Create files in /etc with the type used for
## the iptables config files.
@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
files_etc_filetrans($1, iptables_conf_t, file)
')
-###################################
+########################################
## <summary>
## Manage iptables config files.
## </summary>
@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
-###################################
+########################################
## <summary>
-## dontaudit reading iptables_var_run_t
+## dontaudit reading iptables_runtime_t
## </summary>
## <param name="domain">
## <summary>
@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
#
interface(`iptables_dontaudit_read_pids',`
gen_require(`
- type iptables_var_run_t;
+ type iptables_runtime_t;
')
- dontaudit $1 iptables_var_run_t:file read;
+ dontaudit $1 iptables_runtime_t:file read;
')
########################################
@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
interface(`iptables_admin',`
gen_require(`
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
')
- allow $1 iptables_t:process { ptrace signal_perms };
- ps_process_pattern($1, iptables_t)
+ admin_process_pattern($1, iptables_t)
init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
- files_list_etc($1)
+ files_search_etc($1)
admin_pattern($1, iptables_conf_t)
- files_list_tmp($1)
+ files_search_tmp($1)
admin_pattern($1, iptables_tmp_t)
- files_list_pids($1)
- admin_pattern($1, iptables_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, iptables_runtime_t)
')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 5de8db0cb..869e684ea 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
type iptables_conf_t;
files_config_file(iptables_conf_t)
+type iptables_runtime_t alias iptables_var_run_t;
+files_pid_file(iptables_runtime_t)
+
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
type iptables_unit_t;
init_unit_file(iptables_unit_t)
-type iptables_var_run_t;
-files_pid_file(iptables_var_run_t)
-
########################################
#
# Iptables local policy
@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
files_etc_filetrans(iptables_t, iptables_conf_t, file)
-manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-
can_exec(iptables_t, iptables_exec_t)
+manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
+
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
-kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
-term_dontaudit_use_console(iptables_t)
-
domain_use_interactive_fds(iptables_t)
-files_read_etc_files(iptables_t)
files_read_etc_runtime_files(iptables_t)
auth_use_nsswitch(iptables_t)
@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
miscfiles_read_localization(iptables_t)
sysnet_run_ifconfig(iptables_t, iptables_roles)
-sysnet_dns_name_resolve(iptables_t)
-userdom_use_user_terminals(iptables_t)
-userdom_use_all_users_fds(iptables_t)
+userdom_use_inherited_user_terminals(iptables_t)
ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_mtrr(iptables_t)
@@ -142,10 +136,6 @@ optional_policy(`
')
optional_policy(`
- seutil_sigchld_newrole(iptables_t)
-')
-
-optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
shorewall_read_config(iptables_t)
--
2.11.0
From: cgzones <[email protected]>
---
policy/modules/system/iptables.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 60ad98374..32877b263 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -19,6 +19,7 @@
/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
@@ -38,4 +39,5 @@
/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
2.11.0
On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via refpolicy" <[email protected]> wrote:
>From: cgzones <[email protected]>
>
>---
> policy/modules/system/iptables.fc | 6 +++---
>policy/modules/system/iptables.if | 33
>++++++++++++++++-----------------
> policy/modules/system/iptables.te | 24 +++++++-----------------
> 3 files changed, 26 insertions(+), 37 deletions(-)
>
>diff --git a/policy/modules/system/iptables.fc
>b/policy/modules/system/iptables.fc
>index 181eee95c..60ad98374 100644
>--- a/policy/modules/system/iptables.fc
>+++ b/policy/modules/system/iptables.fc
>@@ -4,6 +4,9 @@
>/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
>+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>+
>/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
>/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
>/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
>@@ -36,6 +39,3 @@
>/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
>/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>-
>-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>diff --git a/policy/modules/system/iptables.if
>b/policy/modules/system/iptables.if
>index 6321f8c4b..7d8f18217 100644
>--- a/policy/modules/system/iptables.if
>+++ b/policy/modules/system/iptables.if
>@@ -1,4 +1,4 @@
>-## <summary>Policy for iptables.</summary>
>+## <summary>Administration tool for IP packet filtering and
>NAT.</summary>
>
> ########################################
> ## <summary>
>@@ -68,7 +68,7 @@ interface(`iptables_exec',`
> can_exec($1, iptables_exec_t)
> ')
>
>-#####################################
>+########################################
> ## <summary>
> ## Execute iptables init scripts in
> ## the init script domain.
>@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
> ')
>
>-#####################################
>+########################################
> ## <summary>
> ## Set the attributes of iptables config files.
> ## </summary>
>@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
> allow $1 iptables_conf_t:file setattr;
> ')
>
>-#####################################
>+########################################
> ## <summary>
> ## Read iptables config files.
> ## </summary>
>@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
> read_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
>
>-#####################################
>+########################################
> ## <summary>
> ## Create files in /etc with the type used for
> ## the iptables config files.
>@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
> files_etc_filetrans($1, iptables_conf_t, file)
> ')
>
>-###################################
>+########################################
> ## <summary>
> ## Manage iptables config files.
> ## </summary>
>@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
>
>-###################################
>+########################################
> ## <summary>
>-## dontaudit reading iptables_var_run_t
>+## dontaudit reading iptables_runtime_t
> ## </summary>
> ## <param name="domain">
> ## <summary>
>@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
> #
> interface(`iptables_dontaudit_read_pids',`
> gen_require(`
>- type iptables_var_run_t;
>+ type iptables_runtime_t;
> ')
>
>- dontaudit $1 iptables_var_run_t:file read;
>+ dontaudit $1 iptables_runtime_t:file read;
> ')
>
> ########################################
>@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
> interface(`iptables_admin',`
> gen_require(`
> type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
>- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
>+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
> ')
>
>- allow $1 iptables_t:process { ptrace signal_perms };
>- ps_process_pattern($1, iptables_t)
>+ admin_process_pattern($1, iptables_t)
>
> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t,
>iptables_unit_t)
>
>- files_list_etc($1)
>+ files_search_etc($1)
> admin_pattern($1, iptables_conf_t)
>
>- files_list_tmp($1)
>+ files_search_tmp($1)
> admin_pattern($1, iptables_tmp_t)
>
>- files_list_pids($1)
>- admin_pattern($1, iptables_var_run_t)
>+ files_search_pids($1)
>+ admin_pattern($1, iptables_runtime_t)
> ')
>diff --git a/policy/modules/system/iptables.te
>b/policy/modules/system/iptables.te
>index 5de8db0cb..869e684ea 100644
>--- a/policy/modules/system/iptables.te
>+++ b/policy/modules/system/iptables.te
>@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
> type iptables_conf_t;
> files_config_file(iptables_conf_t)
>
>+type iptables_runtime_t alias iptables_var_run_t;
>+files_pid_file(iptables_runtime_t)
>+
> type iptables_tmp_t;
> files_tmp_file(iptables_tmp_t)
>
> type iptables_unit_t;
> init_unit_file(iptables_unit_t)
>
>-type iptables_var_run_t;
>-files_pid_file(iptables_var_run_t)
>-
> ########################################
> #
> # Iptables local policy
>@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket
>create_socket_perms;
> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>
>-manage_files_pattern(iptables_t, iptables_var_run_t,
>iptables_var_run_t)
>-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
>-
> can_exec(iptables_t, iptables_exec_t)
>
>+manage_files_pattern(iptables_t, iptables_runtime_t,
>iptables_runtime_t)
>+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
>+
> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
> allow iptables_t iptables_tmp_t:file manage_file_perms;
> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>
>-kernel_getattr_proc(iptables_t)
> kernel_request_load_module(iptables_t)
> kernel_read_system_state(iptables_t)
> kernel_read_network_state(iptables_t)
>@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
>
> mls_file_read_all_levels(iptables_t)
>
>-term_dontaudit_use_console(iptables_t)
>-
> domain_use_interactive_fds(iptables_t)
>
>-files_read_etc_files(iptables_t)
I suspect that if you remove files_read_etc_files() from iptables.te and leave only files_read_etc_runtime_files(), you also need to create a more generic file context in kernel/files.fc: instead of just /etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.*
But I have not tested yet, so I am not 100% sure yet...
files_read_etc_runtime_files(iptables_t)
>
> auth_use_nsswitch(iptables_t)
>@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
> miscfiles_read_localization(iptables_t)
>
> sysnet_run_ifconfig(iptables_t, iptables_roles)
>-sysnet_dns_name_resolve(iptables_t)
>
>-userdom_use_user_terminals(iptables_t)
>-userdom_use_all_users_fds(iptables_t)
>+userdom_use_inherited_user_terminals(iptables_t)
>
> ifdef(`hide_broken_symptoms',`
> dev_dontaudit_write_mtrr(iptables_t)
>@@ -142,10 +136,6 @@ optional_policy(`
> ')
>
> optional_policy(`
>- seutil_sigchld_newrole(iptables_t)
>-')
>-
>-optional_policy(`
> shorewall_read_tmp_files(iptables_t)
> shorewall_rw_lib_files(iptables_t)
> shorewall_read_config(iptables_t)
Regards,
Guido
I was wrong...
On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy <[email protected]> wrote:
>
>
>On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via
>refpolicy" <[email protected]> wrote:
>>From: cgzones <[email protected]>
>>
>>---
>> policy/modules/system/iptables.fc | 6 +++---
>>policy/modules/system/iptables.if | 33
>>++++++++++++++++-----------------
>> policy/modules/system/iptables.te | 24 +++++++-----------------
>> 3 files changed, 26 insertions(+), 37 deletions(-)
>>
>>diff --git a/policy/modules/system/iptables.fc
>>b/policy/modules/system/iptables.fc
>>index 181eee95c..60ad98374 100644
>>--- a/policy/modules/system/iptables.fc
>>+++ b/policy/modules/system/iptables.fc
>>@@ -4,6 +4,9 @@
>>/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>>/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>>
>>+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>>+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>>+
>>/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>@@ -36,6 +39,3 @@
>>/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
>> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>-
>>-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>>-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>>diff --git a/policy/modules/system/iptables.if
>>b/policy/modules/system/iptables.if
>>index 6321f8c4b..7d8f18217 100644
>>--- a/policy/modules/system/iptables.if
>>+++ b/policy/modules/system/iptables.if
>>@@ -1,4 +1,4 @@
>>-## <summary>Policy for iptables.</summary>
>>+## <summary>Administration tool for IP packet filtering and
>>NAT.</summary>
>>
>> ########################################
>> ## <summary>
>>@@ -68,7 +68,7 @@ interface(`iptables_exec',`
>> can_exec($1, iptables_exec_t)
>> ')
>>
>>-#####################################
>>+########################################
>> ## <summary>
>> ## Execute iptables init scripts in
>> ## the init script domain.
>>@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
>> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
>> ')
>>
>>-#####################################
>>+########################################
>> ## <summary>
>> ## Set the attributes of iptables config files.
>> ## </summary>
>>@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
>> allow $1 iptables_conf_t:file setattr;
>> ')
>>
>>-#####################################
>>+########################################
>> ## <summary>
>> ## Read iptables config files.
>> ## </summary>
>>@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
>> read_files_pattern($1, iptables_conf_t, iptables_conf_t)
>> ')
>>
>>-#####################################
>>+########################################
>> ## <summary>
>> ## Create files in /etc with the type used for
>> ## the iptables config files.
>>@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
>> files_etc_filetrans($1, iptables_conf_t, file)
>> ')
>>
>>-###################################
>>+########################################
>> ## <summary>
>> ## Manage iptables config files.
>> ## </summary>
>>@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
>> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>> ')
>>
>>-###################################
>>+########################################
>> ## <summary>
>>-## dontaudit reading iptables_var_run_t
>>+## dontaudit reading iptables_runtime_t
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>>@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
>> #
>> interface(`iptables_dontaudit_read_pids',`
>> gen_require(`
>>- type iptables_var_run_t;
>>+ type iptables_runtime_t;
>> ')
>>
>>- dontaudit $1 iptables_var_run_t:file read;
>>+ dontaudit $1 iptables_runtime_t:file read;
>> ')
>>
>> ########################################
>>@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
>> interface(`iptables_admin',`
>> gen_require(`
>> type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
>>- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
>>+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
>> ')
>>
>>- allow $1 iptables_t:process { ptrace signal_perms };
>>- ps_process_pattern($1, iptables_t)
>>+ admin_process_pattern($1, iptables_t)
>>
>> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t,
>>iptables_unit_t)
>>
>>- files_list_etc($1)
>>+ files_search_etc($1)
>> admin_pattern($1, iptables_conf_t)
>>
>>- files_list_tmp($1)
>>+ files_search_tmp($1)
>> admin_pattern($1, iptables_tmp_t)
>>
>>- files_list_pids($1)
>>- admin_pattern($1, iptables_var_run_t)
>>+ files_search_pids($1)
>>+ admin_pattern($1, iptables_runtime_t)
>> ')
>>diff --git a/policy/modules/system/iptables.te
>>b/policy/modules/system/iptables.te
>>index 5de8db0cb..869e684ea 100644
>>--- a/policy/modules/system/iptables.te
>>+++ b/policy/modules/system/iptables.te
>>@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
>> type iptables_conf_t;
>> files_config_file(iptables_conf_t)
>>
>>+type iptables_runtime_t alias iptables_var_run_t;
>>+files_pid_file(iptables_runtime_t)
>>+
>> type iptables_tmp_t;
>> files_tmp_file(iptables_tmp_t)
>>
>> type iptables_unit_t;
>> init_unit_file(iptables_unit_t)
>>
>>-type iptables_var_run_t;
>>-files_pid_file(iptables_var_run_t)
>>-
>> ########################################
>> #
>> # Iptables local policy
>>@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket
>>create_socket_perms;
>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
>> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>>
>>-manage_files_pattern(iptables_t, iptables_var_run_t,
>>iptables_var_run_t)
>>-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
>>-
>> can_exec(iptables_t, iptables_exec_t)
>>
>>+manage_files_pattern(iptables_t, iptables_runtime_t,
>>iptables_runtime_t)
>>+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
>>+
>> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
>> allow iptables_t iptables_tmp_t:file manage_file_perms;
>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>>
>>-kernel_getattr_proc(iptables_t)
>> kernel_request_load_module(iptables_t)
>> kernel_read_system_state(iptables_t)
>> kernel_read_network_state(iptables_t)
>>@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
>>
>> mls_file_read_all_levels(iptables_t)
>>
>>-term_dontaudit_use_console(iptables_t)
>>-
>> domain_use_interactive_fds(iptables_t)
>>
>>-files_read_etc_files(iptables_t)
>
>I suspect that if you remove files_read_etc_files() from iptables.te
>and leave only files_read_etc_runtime_files(), you also need to create
>a more generic file context in kernel/files.fc: instead of just
>/etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.*
This is not needed because there is the specific iptables_conf_t context...
>But I have not tested yet, so I am not 100% sure yet...
> files_read_etc_runtime_files(iptables_t)
>>
>> auth_use_nsswitch(iptables_t)
>>@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
>> miscfiles_read_localization(iptables_t)
>>
>> sysnet_run_ifconfig(iptables_t, iptables_roles)
>>-sysnet_dns_name_resolve(iptables_t)
>>
>>-userdom_use_user_terminals(iptables_t)
>>-userdom_use_all_users_fds(iptables_t)
>>+userdom_use_inherited_user_terminals(iptables_t)
>>
>> ifdef(`hide_broken_symptoms',`
>> dev_dontaudit_write_mtrr(iptables_t)
>>@@ -142,10 +136,6 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>>- seutil_sigchld_newrole(iptables_t)
>>-')
>>-
>>-optional_policy(`
>> shorewall_read_tmp_files(iptables_t)
>> shorewall_rw_lib_files(iptables_t)
>> shorewall_read_config(iptables_t)
>
>Regards,
>
>Guido
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
files_read_etc_files(iptables_t) is included in auth_use_nsswitch(iptables_t)
2017-06-08 19:46 GMT+02:00 Guido Trentalancia via refpolicy
<[email protected]>:
> I was wrong...
>
> On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy <[email protected]> wrote:
>>
>>
>>On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via
>>refpolicy" <[email protected]> wrote:
>>>From: cgzones <[email protected]>
>>>
>>>---
>>> policy/modules/system/iptables.fc | 6 +++---
>>>policy/modules/system/iptables.if | 33
>>>++++++++++++++++-----------------
>>> policy/modules/system/iptables.te | 24 +++++++-----------------
>>> 3 files changed, 26 insertions(+), 37 deletions(-)
>>>
>>>diff --git a/policy/modules/system/iptables.fc
>>>b/policy/modules/system/iptables.fc
>>>index 181eee95c..60ad98374 100644
>>>--- a/policy/modules/system/iptables.fc
>>>+++ b/policy/modules/system/iptables.fc
>>>@@ -4,6 +4,9 @@
>>>/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>>>/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>>>
>>>+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>>>+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>>>+
>>>/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>@@ -36,6 +39,3 @@
>>>/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>-
>>>-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>>>-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>>>diff --git a/policy/modules/system/iptables.if
>>>b/policy/modules/system/iptables.if
>>>index 6321f8c4b..7d8f18217 100644
>>>--- a/policy/modules/system/iptables.if
>>>+++ b/policy/modules/system/iptables.if
>>>@@ -1,4 +1,4 @@
>>>-## <summary>Policy for iptables.</summary>
>>>+## <summary>Administration tool for IP packet filtering and
>>>NAT.</summary>
>>>
>>> ########################################
>>> ## <summary>
>>>@@ -68,7 +68,7 @@ interface(`iptables_exec',`
>>> can_exec($1, iptables_exec_t)
>>> ')
>>>
>>>-#####################################
>>>+########################################
>>> ## <summary>
>>> ## Execute iptables init scripts in
>>> ## the init script domain.
>>>@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
>>> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
>>> ')
>>>
>>>-#####################################
>>>+########################################
>>> ## <summary>
>>> ## Set the attributes of iptables config files.
>>> ## </summary>
>>>@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
>>> allow $1 iptables_conf_t:file setattr;
>>> ')
>>>
>>>-#####################################
>>>+########################################
>>> ## <summary>
>>> ## Read iptables config files.
>>> ## </summary>
>>>@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
>>> read_files_pattern($1, iptables_conf_t, iptables_conf_t)
>>> ')
>>>
>>>-#####################################
>>>+########################################
>>> ## <summary>
>>> ## Create files in /etc with the type used for
>>> ## the iptables config files.
>>>@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
>>> files_etc_filetrans($1, iptables_conf_t, file)
>>> ')
>>>
>>>-###################################
>>>+########################################
>>> ## <summary>
>>> ## Manage iptables config files.
>>> ## </summary>
>>>@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
>>> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>>> ')
>>>
>>>-###################################
>>>+########################################
>>> ## <summary>
>>>-## dontaudit reading iptables_var_run_t
>>>+## dontaudit reading iptables_runtime_t
>>> ## </summary>
>>> ## <param name="domain">
>>> ## <summary>
>>>@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
>>> #
>>> interface(`iptables_dontaudit_read_pids',`
>>> gen_require(`
>>>- type iptables_var_run_t;
>>>+ type iptables_runtime_t;
>>> ')
>>>
>>>- dontaudit $1 iptables_var_run_t:file read;
>>>+ dontaudit $1 iptables_runtime_t:file read;
>>> ')
>>>
>>> ########################################
>>>@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
>>> interface(`iptables_admin',`
>>> gen_require(`
>>> type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
>>>- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
>>>+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
>>> ')
>>>
>>>- allow $1 iptables_t:process { ptrace signal_perms };
>>>- ps_process_pattern($1, iptables_t)
>>>+ admin_process_pattern($1, iptables_t)
>>>
>>> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t,
>>>iptables_unit_t)
>>>
>>>- files_list_etc($1)
>>>+ files_search_etc($1)
>>> admin_pattern($1, iptables_conf_t)
>>>
>>>- files_list_tmp($1)
>>>+ files_search_tmp($1)
>>> admin_pattern($1, iptables_tmp_t)
>>>
>>>- files_list_pids($1)
>>>- admin_pattern($1, iptables_var_run_t)
>>>+ files_search_pids($1)
>>>+ admin_pattern($1, iptables_runtime_t)
>>> ')
>>>diff --git a/policy/modules/system/iptables.te
>>>b/policy/modules/system/iptables.te
>>>index 5de8db0cb..869e684ea 100644
>>>--- a/policy/modules/system/iptables.te
>>>+++ b/policy/modules/system/iptables.te
>>>@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
>>> type iptables_conf_t;
>>> files_config_file(iptables_conf_t)
>>>
>>>+type iptables_runtime_t alias iptables_var_run_t;
>>>+files_pid_file(iptables_runtime_t)
>>>+
>>> type iptables_tmp_t;
>>> files_tmp_file(iptables_tmp_t)
>>>
>>> type iptables_unit_t;
>>> init_unit_file(iptables_unit_t)
>>>
>>>-type iptables_var_run_t;
>>>-files_pid_file(iptables_var_run_t)
>>>-
>>> ########################################
>>> #
>>> # Iptables local policy
>>>@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket
>>>create_socket_perms;
>>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
>>> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>>>
>>>-manage_files_pattern(iptables_t, iptables_var_run_t,
>>>iptables_var_run_t)
>>>-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
>>>-
>>> can_exec(iptables_t, iptables_exec_t)
>>>
>>>+manage_files_pattern(iptables_t, iptables_runtime_t,
>>>iptables_runtime_t)
>>>+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
>>>+
>>> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
>>> allow iptables_t iptables_tmp_t:file manage_file_perms;
>>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>>>
>>>-kernel_getattr_proc(iptables_t)
>>> kernel_request_load_module(iptables_t)
>>> kernel_read_system_state(iptables_t)
>>> kernel_read_network_state(iptables_t)
>>>@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
>>>
>>> mls_file_read_all_levels(iptables_t)
>>>
>>>-term_dontaudit_use_console(iptables_t)
>>>-
>>> domain_use_interactive_fds(iptables_t)
>>>
>>>-files_read_etc_files(iptables_t)
>>
>>I suspect that if you remove files_read_etc_files() from iptables.te
>>and leave only files_read_etc_runtime_files(), you also need to create
>>a more generic file context in kernel/files.fc: instead of just
>>/etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.*
>
> This is not needed because there is the specific iptables_conf_t context...
>
>>But I have not tested yet, so I am not 100% sure yet...
>> files_read_etc_runtime_files(iptables_t)
>>>
>>> auth_use_nsswitch(iptables_t)
>>>@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
>>> miscfiles_read_localization(iptables_t)
>>>
>>> sysnet_run_ifconfig(iptables_t, iptables_roles)
>>>-sysnet_dns_name_resolve(iptables_t)
>>>
>>>-userdom_use_user_terminals(iptables_t)
>>>-userdom_use_all_users_fds(iptables_t)
>>>+userdom_use_inherited_user_terminals(iptables_t)
>>>
>>> ifdef(`hide_broken_symptoms',`
>>> dev_dontaudit_write_mtrr(iptables_t)
>>>@@ -142,10 +136,6 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>>- seutil_sigchld_newrole(iptables_t)
>>>-')
>>>-
>>>-optional_policy(`
>>> shorewall_read_tmp_files(iptables_t)
>>> shorewall_rw_lib_files(iptables_t)
>>> shorewall_read_config(iptables_t)
>>
>>Regards,
>>
>>Guido
>>
>>_______________________________________________
>>refpolicy mailing list
>>refpolicy at oss.tresys.com
>>http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On 06/08/2017 01:12 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> ---
> policy/modules/system/iptables.fc | 74 +++++++++++++++++++--------------------
> 1 file changed, 37 insertions(+), 37 deletions(-)
>
> diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
> index 7e71bdb4b..181eee95c 100644
> --- a/policy/modules/system/iptables.fc
> +++ b/policy/modules/system/iptables.fc
> @@ -1,41 +1,41 @@
> -/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> -/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> +/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
> -/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>
> -/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> -/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> -/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> -/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> +/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> +/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> +/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> +/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
>
> -/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>
> -/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
> -/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
> +/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
> +/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>
Merged.
--
Chris PeBenito
On 06/08/2017 01:48 PM, Christian G?ttsche via refpolicy wrote:
> files_read_etc_files(iptables_t) is included in auth_use_nsswitch(iptables_t)
Please don't remove rules just because they are part of
auth_use_nsswitch(). See other thread for details.
> 2017-06-08 19:46 GMT+02:00 Guido Trentalancia via refpolicy
> <[email protected]>:
>> I was wrong...
>>
>> On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy <[email protected]> wrote:
>>>
>>>
>>> On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via
>>> refpolicy" <[email protected]> wrote:
>>>> From: cgzones <[email protected]>
>>>>
>>>> ---
>>>> policy/modules/system/iptables.fc | 6 +++---
>>>> policy/modules/system/iptables.if | 33
>>>> ++++++++++++++++-----------------
>>>> policy/modules/system/iptables.te | 24 +++++++-----------------
>>>> 3 files changed, 26 insertions(+), 37 deletions(-)
>>>>
>>>> diff --git a/policy/modules/system/iptables.fc
>>>> b/policy/modules/system/iptables.fc
>>>> index 181eee95c..60ad98374 100644
>>>> --- a/policy/modules/system/iptables.fc
>>>> +++ b/policy/modules/system/iptables.fc
>>>> @@ -4,6 +4,9 @@
>>>> /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>>>> /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>>>>
>>>> +/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>>>> +/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
>>>> +
>>>> /usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> @@ -36,6 +39,3 @@
>>>> /usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> -
>>>> -/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>>>> -/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
>>>> diff --git a/policy/modules/system/iptables.if
>>>> b/policy/modules/system/iptables.if
>>>> index 6321f8c4b..7d8f18217 100644
>>>> --- a/policy/modules/system/iptables.if
>>>> +++ b/policy/modules/system/iptables.if
>>>> @@ -1,4 +1,4 @@
>>>> -## <summary>Policy for iptables.</summary>
>>>> +## <summary>Administration tool for IP packet filtering and
>>>> NAT.</summary>
>>>>
>>>> ########################################
>>>> ## <summary>
>>>> @@ -68,7 +68,7 @@ interface(`iptables_exec',`
>>>> can_exec($1, iptables_exec_t)
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ## Execute iptables init scripts in
>>>> ## the init script domain.
>>>> @@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
>>>> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ## Set the attributes of iptables config files.
>>>> ## </summary>
>>>> @@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
>>>> allow $1 iptables_conf_t:file setattr;
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ## Read iptables config files.
>>>> ## </summary>
>>>> @@ -126,7 +126,7 @@ interface(`iptables_read_config',`
>>>> read_files_pattern($1, iptables_conf_t, iptables_conf_t)
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ## Create files in /etc with the type used for
>>>> ## the iptables config files.
>>>> @@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
>>>> files_etc_filetrans($1, iptables_conf_t, file)
>>>> ')
>>>>
>>>> -###################################
>>>> +########################################
>>>> ## <summary>
>>>> ## Manage iptables config files.
>>>> ## </summary>
>>>> @@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
>>>> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>>>> ')
>>>>
>>>> -###################################
>>>> +########################################
>>>> ## <summary>
>>>> -## dontaudit reading iptables_var_run_t
>>>> +## dontaudit reading iptables_runtime_t
>>>> ## </summary>
>>>> ## <param name="domain">
>>>> ## <summary>
>>>> @@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
>>>> #
>>>> interface(`iptables_dontaudit_read_pids',`
>>>> gen_require(`
>>>> - type iptables_var_run_t;
>>>> + type iptables_runtime_t;
>>>> ')
>>>>
>>>> - dontaudit $1 iptables_var_run_t:file read;
>>>> + dontaudit $1 iptables_runtime_t:file read;
>>>> ')
>>>>
>>>> ########################################
>>>> @@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
>>>> interface(`iptables_admin',`
>>>> gen_require(`
>>>> type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
>>>> - type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
>>>> + type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
>>>> ')
>>>>
>>>> - allow $1 iptables_t:process { ptrace signal_perms };
>>>> - ps_process_pattern($1, iptables_t)
>>>> + admin_process_pattern($1, iptables_t)
>>>>
>>>> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t,
>>>> iptables_unit_t)
>>>>
>>>> - files_list_etc($1)
>>>> + files_search_etc($1)
>>>> admin_pattern($1, iptables_conf_t)
>>>>
>>>> - files_list_tmp($1)
>>>> + files_search_tmp($1)
>>>> admin_pattern($1, iptables_tmp_t)
>>>>
>>>> - files_list_pids($1)
>>>> - admin_pattern($1, iptables_var_run_t)
>>>> + files_search_pids($1)
>>>> + admin_pattern($1, iptables_runtime_t)
>>>> ')
>>>> diff --git a/policy/modules/system/iptables.te
>>>> b/policy/modules/system/iptables.te
>>>> index 5de8db0cb..869e684ea 100644
>>>> --- a/policy/modules/system/iptables.te
>>>> +++ b/policy/modules/system/iptables.te
>>>> @@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
>>>> type iptables_conf_t;
>>>> files_config_file(iptables_conf_t)
>>>>
>>>> +type iptables_runtime_t alias iptables_var_run_t;
>>>> +files_pid_file(iptables_runtime_t)
>>>> +
>>>> type iptables_tmp_t;
>>>> files_tmp_file(iptables_tmp_t)
>>>>
>>>> type iptables_unit_t;
>>>> init_unit_file(iptables_unit_t)
>>>>
>>>> -type iptables_var_run_t;
>>>> -files_pid_file(iptables_var_run_t)
>>>> -
>>>> ########################################
>>>> #
>>>> # Iptables local policy
>>>> @@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket
>>>> create_socket_perms;
>>>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
>>>> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>>>>
>>>> -manage_files_pattern(iptables_t, iptables_var_run_t,
>>>> iptables_var_run_t)
>>>> -files_pid_filetrans(iptables_t, iptables_var_run_t, file)
>>>> -
>>>> can_exec(iptables_t, iptables_exec_t)
>>>>
>>>> +manage_files_pattern(iptables_t, iptables_runtime_t,
>>>> iptables_runtime_t)
>>>> +files_pid_filetrans(iptables_t, iptables_runtime_t, file)
>>>> +
>>>> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
>>>> allow iptables_t iptables_tmp_t:file manage_file_perms;
>>>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>>>>
>>>> -kernel_getattr_proc(iptables_t)
>>>> kernel_request_load_module(iptables_t)
>>>> kernel_read_system_state(iptables_t)
>>>> kernel_read_network_state(iptables_t)
>>>> @@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
>>>>
>>>> mls_file_read_all_levels(iptables_t)
>>>>
>>>> -term_dontaudit_use_console(iptables_t)
>>>> -
>>>> domain_use_interactive_fds(iptables_t)
>>>>
>>>> -files_read_etc_files(iptables_t)
>>>
>>> I suspect that if you remove files_read_etc_files() from iptables.te
>>> and leave only files_read_etc_runtime_files(), you also need to create
>>> a more generic file context in kernel/files.fc: instead of just
>>> /etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.*
>>
>> This is not needed because there is the specific iptables_conf_t context...
>>
>>> But I have not tested yet, so I am not 100% sure yet...
>>> files_read_etc_runtime_files(iptables_t)
>>>>
>>>> auth_use_nsswitch(iptables_t)
>>>> @@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
>>>> miscfiles_read_localization(iptables_t)
>>>>
>>>> sysnet_run_ifconfig(iptables_t, iptables_roles)
>>>> -sysnet_dns_name_resolve(iptables_t)
>>>>
>>>> -userdom_use_user_terminals(iptables_t)
>>>> -userdom_use_all_users_fds(iptables_t)
>>>> +userdom_use_inherited_user_terminals(iptables_t)
>>>>
>>>> ifdef(`hide_broken_symptoms',`
>>>> dev_dontaudit_write_mtrr(iptables_t)
>>>> @@ -142,10 +136,6 @@ optional_policy(`
>>>> ')
>>>>
>>>> optional_policy(`
>>>> - seutil_sigchld_newrole(iptables_t)
>>>> -')
>>>> -
>>>> -optional_policy(`
>>>> shorewall_read_tmp_files(iptables_t)
>>>> shorewall_rw_lib_files(iptables_t)
>>>> shorewall_read_config(iptables_t)
>>>
>>> Regards,
>>>
>>> Guido
--
Chris PeBenito