From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 09 Sep 2010 08:33:32 -0400 Subject: [refpolicy] [Various 1/1] Add nfctool module and its dependencies. In-Reply-To: <20100903194621.GA4338@localhost.localdomain> References: <20100903194621.GA4338@localhost.localdomain> Message-ID: <4C88D41C.8060700@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/03/10 15:46, Dominick Grift wrote: > Add brctl_run interface to cleaned up brctl module. > Add brctl domtrans and run calls to new ncftool module, modutils. > Implement system conf type for manageable system configuration files. > Add /replace calls to system configuration interfaces in virt, init, iptables. > Add network configuration interfaces and add calls to these interfaces in various modules. There are unrelated changes in this patch; please remove them. This patch is also big enough that it should probably be split up into 2 or 3 patches. > Signed-off-by: Dominick Grift > --- > :100644 100644 5b43db5... 8f1ee2c... M policy/modules/admin/brctl.if > :100644 100644 0ff3679... 45b26c9... M policy/modules/admin/brctl.te > :000000 100644 0000000... 19710b5... A policy/modules/admin/ncftool.fc > :000000 100644 0000000... 5b9318b... A policy/modules/admin/ncftool.if > :000000 100644 0000000... 2e2f551... A policy/modules/admin/ncftool.te > :100644 100644 a22e546... 157f6ff... M policy/modules/admin/shorewall.te > :100644 100644 3517db2... ba92739... M policy/modules/kernel/files.fc > :100644 100644 5302dac... 17e7a6a... M policy/modules/kernel/files.if > :100644 100644 07352a5... ec07a47... M policy/modules/kernel/files.te > :100644 100644 3cce663... 57c0f15... M policy/modules/services/virt.te > :100644 100644 abab4cf... c038370... M policy/modules/system/init.te > :100644 100644 13f62a6... e0813a1... M policy/modules/system/iptables.fc > :100644 100644 5c94dfe... 68cd2d2... M policy/modules/system/iptables.if > :100644 100644 a3fdcb3... 8e644c4... M policy/modules/system/iptables.te > :100644 100644 9c0faab... 565e5bc... M policy/modules/system/modutils.if > :100644 100644 8e71fb7... 1e4892d... M policy/modules/system/sysnetwork.if > :100644 100644 dfbe736... ab27920... M policy/modules/system/sysnetwork.te > policy/modules/admin/brctl.if | 34 ++++++++++++- > policy/modules/admin/brctl.te | 1 - > policy/modules/admin/ncftool.fc | 1 + > policy/modules/admin/ncftool.if | 80 +++++++++++++++++++++++++++++++ > policy/modules/admin/ncftool.te | 82 ++++++++++++++++++++++++++++++++ > policy/modules/admin/shorewall.te | 4 ++ > policy/modules/kernel/files.fc | 89 +++-------------------------------- > policy/modules/kernel/files.if | 74 +++++++++++++++++++++++++++++ > policy/modules/kernel/files.te | 8 +++ > policy/modules/services/virt.te | 7 ++- > policy/modules/system/init.te | 2 + > policy/modules/system/iptables.fc | 2 - > policy/modules/system/iptables.if | 78 ------------------------------ > policy/modules/system/iptables.te | 4 +- > policy/modules/system/modutils.if | 20 ++++++++ > policy/modules/system/sysnetwork.if | 38 +++++++++++++++ > policy/modules/system/sysnetwork.te | 4 ++ > 17 files changed, 357 insertions(+), 171 deletions(-) > > diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if > index 5b43db5..8f1ee2c 100644 > --- a/policy/modules/admin/brctl.if > +++ b/policy/modules/admin/brctl.if > @@ -1,13 +1,13 @@ > -##Utilities for configuring the linux ethernet bridge > +##Utilities for configuring the linux ethernet bridge. > > ######################################## > ## > ## Execute a domain transition to run brctl. > ## > ## > -## > +## > ## Domain allowed to transition. > -## > +## > ## > # > interface(`brctl_domtrans',` > @@ -15,5 +15,33 @@ interface(`brctl_domtrans',` > type brctl_t, brctl_exec_t; > ') > > + corecmd_search_bin($1) > domtrans_pattern($1, brctl_exec_t, brctl_t) > ') > + > +##################################### > +## > +## Execute a domain transition to run > +## Brctl, and allow the specified role > +## the Brctl domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`brctl_run',` > + gen_require(` > + type brctl_t, brctl_exec_t; > + ') > + > + brctl_domtrans($1) > + role $2 types brctl_t; > +') > diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te > index 0ff3679..45b26c9 100644 > --- a/policy/modules/admin/brctl.te > +++ b/policy/modules/admin/brctl.te > @@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t) > dev_rw_sysfs(brctl_t) > dev_write_sysfs_dirs(brctl_t) > > -# Init script handling > domain_use_interactive_fds(brctl_t) > > files_read_etc_files(brctl_t) > diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc > new file mode 100644 > index 0000000..19710b5 > --- /dev/null > +++ b/policy/modules/admin/ncftool.fc > @@ -0,0 +1 @@ > +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) > diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if > new file mode 100644 > index 0000000..5b9318b > --- /dev/null > +++ b/policy/modules/admin/ncftool.if > @@ -0,0 +1,80 @@ > +##Network Interface Management. > + > +######################################## > +## > +## Execute a domain transition to run Ncftool. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`ncftool_domtrans',` > + gen_require(` > + type ncftool_t, ncftool_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, ncftool_exec_t, ncftool_t) > +') > + > +######################################## > +## > +## Execute a domain transition to run > +## Ncftool, and allow the specified role > +## the Ncftool domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`ncftool_run',` > + gen_require(` > + type ncftool_t; > + ') > + > + ncftool_domtrans($1) > + role $2 types ncftool_t; > + > + optional_policy(` > + brctl_run(ncftool_t, $2) > + ') > +') > + > +######################################## > +## > +## Role access for Ncftool. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## User domain for the role. > +## > +## > +## > +# > +interface(`ncftool_role',` > + gen_require(` > + type ncftool_t; > + ') > + > + role $1 types ncftool_t; > + > + ncftool_domtrans($2) > + > + ps_process_pattern($2, ncftool_t) > + allow $2 ncftool_t:process { ptrace signal_perms }; > +') > diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te > new file mode 100644 > index 0000000..2e2f551 > --- /dev/null > +++ b/policy/modules/admin/ncftool.te > @@ -0,0 +1,82 @@ > +policy_module(ncftool, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type ncftool_t; > +type ncftool_exec_t; > +application_domain(ncftool_t, ncftool_exec_t) > +domain_obj_id_change_exemption(ncftool_t) > +domain_system_change_exemption(ncftool_t) > +role system_r types ncftool_t; > + > +######################################## > +# > +# local policy > +# > + > +allow ncftool_t self:capability { net_admin sys_ptrace }; > +allow ncftool_t self:process signal; > +allow ncftool_t self:fifo_file manage_fifo_file_perms; > +allow ncftool_t self:unix_stream_socket create_stream_socket_perms; > +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; > +allow ncftool_t self:tcp_socket create_stream_socket_perms; > + > +kernel_read_kernel_sysctls(ncftool_t) > +kernel_read_modprobe_sysctls(ncftool_t) > +kernel_read_network_state(ncftool_t) > +kernel_read_system_state(ncftool_t) > +kernel_request_load_module(ncftool_t) > +kernel_rw_net_sysctls(ncftool_t) > + > +corecmd_exec_bin(ncftool_t) > +corecmd_exec_shell(ncftool_t) > + > +domain_read_all_domains_state(ncftool_t) > + > +dev_read_sysfs(ncftool_t) > + > +files_manage_system_conf_files(ncftool_t) > +files_relabelto_system_conf_files(ncftool_t) > +files_read_etc_files(ncftool_t) > +files_read_etc_runtime_files(ncftool_t) > +files_read_usr_files(ncftool_t) > + > +term_use_all_terms(ncftool_t) > + > +miscfiles_read_localization(ncftool_t) > + > +modutils_list_module_config(ncftool_t) > +modutils_read_module_config(ncftool_t) > +modutils_domtrans_insmod(ncftool_t) > + > +sysnet_delete_dhcpc_pid(ncftool_t) > +sysnet_domtrans_dhcpc(ncftool_t) > +sysnet_domtrans_ifconfig(ncftool_t) > +sysnet_etc_filetrans_config(ncftool_t) > +sysnet_manage_config(ncftool_t) > +sysnet_read_dhcpc_state(ncftool_t) > +sysnet_relabelfrom_net_conf(ncftool_t) > +sysnet_relabelto_net_conf(ncftool_t) > +sysnet_read_dhcpc_pid(ncftool_t) > +sysnet_signal_dhcpc(ncftool_t) > + > +userdom_read_user_tmp_files(ncftool_t) > + > +optional_policy(` > + consoletype_exec(ncftool_t) > +') > + > +optional_policy(` > + dbus_system_bus_client(ncftool_t) > +') > + > +optional_policy(` > + iptables_initrc_domtrans(ncftool_t) > +') > + > +optional_policy(` > + netutils_domtrans(ncftool_t) > +') > diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te > index a22e546..157f6ff 100644 > --- a/policy/modules/admin/shorewall.te > +++ b/policy/modules/admin/shorewall.te > @@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t) > userdom_dontaudit_list_user_home_dirs(shorewall_t) > > optional_policy(` > + brctl_domtrans(shorewall_t) > +') > + > +optional_policy(` > hostname_exec(shorewall_t) > ') > > diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc > index 3517db2..ba92739 100644 > --- a/policy/modules/kernel/files.fc > +++ b/policy/modules/kernel/files.fc > @@ -1,15 +1,9 @@ > - > -# > -# / > -# > /.* gen_context(system_u:object_r:default_t,s0) > / -d gen_context(system_u:object_r:root_t,s0) > /\.journal <> > /afs -d gen_context(system_u:object_r:mnt_t,s0) > /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) > /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) > - > -ifdef(`distro_redhat',` > /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) > /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) > /\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0) > @@ -18,15 +12,8 @@ ifdef(`distro_redhat',` > /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) > /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) > /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) > -') > - > -ifdef(`distro_suse',` > /success -- gen_context(system_u:object_r:etc_runtime_t,s0) > -') > > -# > -# /boot > -# > /boot -d gen_context(system_u:object_r:boot_t,s0) > /boot/.* gen_context(system_u:object_r:boot_t,s0) > /boot/\.journal <> > @@ -35,15 +22,9 @@ ifdef(`distro_suse',` > /boot/lost\+found/.* <> > /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) > > -# > -# /emul > -# > /emul -d gen_context(system_u:object_r:usr_t,s0) > /emul/.* gen_context(system_u:object_r:usr_t,s0) > > -# > -# /etc > -# > /etc -d gen_context(system_u:object_r:etc_t,s0) > /etc/.* gen_context(system_u:object_r:etc_t,s0) > /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) > @@ -72,114 +53,68 @@ ifdef(`distro_suse',` > > /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) > > +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0) > +/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) > +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) > /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) > -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) > +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) > +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) > + > +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) > > -ifdef(`distro_gentoo', ` > /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) > -') > > -ifdef(`distro_redhat',` > /etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) > -') > > -ifdef(`distro_suse',` > /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) > /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) > -') > > -# > -# HOME_ROOT > -# expanded by genhomedircon > -# > HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) > HOME_ROOT/\.journal <> > HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) > HOME_ROOT/lost\+found/.* <> > > -# > -# /initrd > -# > -# initrd mount point, only used during boot > /initrd -d gen_context(system_u:object_r:root_t,s0) > > -# > -# /lib(64)? > -# > /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) > /lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) > > -# > -# /lost+found > -# > /lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) > /lost\+found/.* <> > > -# > -# /media > -# > -# Mount points; do not relabel subdirectories, since > -# we don't want to change any removable media by default. > /media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) > /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) > /media/[^/]*/.* <> > /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) > > -# > -# /misc > -# > /misc -d gen_context(system_u:object_r:mnt_t,s0) > > -# > -# /mnt > -# > /mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0) > /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) > /mnt/[^/]*/.* <> > > -# > -# /net > -# > /net -d gen_context(system_u:object_r:mnt_t,s0) > > -# > -# /opt > -# > /opt -d gen_context(system_u:object_r:usr_t,s0) > /opt/.* gen_context(system_u:object_r:usr_t,s0) > > /opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) > > -# > -# /proc > -# > /proc -d <> > /proc/.* <> > > -# > -# /selinux > -# > /selinux -d <> > /selinux/.* <> > > -# > -# /srv > -# > /srv -d gen_context(system_u:object_r:var_t,s0) > /srv/.* gen_context(system_u:object_r:var_t,s0) > > -# > -# /sys > -# > /sys -d <> > /sys/.* <> > > -# > -# /tmp > -# > /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) > /tmp/.* <> > /tmp/\.journal <> > @@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.* <> > /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) > /tmp/lost\+found/.* <> > > -# > -# /usr > -# > /usr -d gen_context(system_u:object_r:usr_t,s0) > /usr/.* gen_context(system_u:object_r:usr_t,s0) > /usr/\.journal <> > @@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.* <> > /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) > /usr/tmp/.* <> > > -ifndef(`distro_redhat',` > /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) > > /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) > /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) > -') > > -# > -# /var > -# > /var -d gen_context(system_u:object_r:var_t,s0) > /var/.* gen_context(system_u:object_r:var_t,s0) > /var/\.journal <> > @@ -255,6 +182,4 @@ ifndef(`distro_redhat',` > /var/tmp/lost\+found/.* <> > /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) > > -ifdef(`distro_debian',` > /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) > -') > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index 5302dac..17e7a6a 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',` > manage_lnk_files_pattern($1, boot_t, boot_t) > ') > > +################################### > +## > +## Create manageable system configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_etc_filetrans_system_conf',` > + gen_require(` > + type etc_t, system_conf_t; > + ') > + > + filetrans_pattern($1, etc_t, system_conf_t, file) > +') > + > +###################################### > +## > +## Manage manageable system configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_manage_system_conf_files',` > + gen_require(` > + type etc_t, system_conf_t; > + ') > + > + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) > +') > + > +###################################### > +## > +## Relabel from manageable system configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabelfrom_system_conf_files',` > + gen_require(` > + type system_conf_t; > + ') > + > + files_search_etc($1) > + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) > +') > + > +###################################### > +## > +## Relabel to manageable system configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_relabelto_system_conf_files',` > + gen_require(` > + type system_conf_t; > + ') > + > + files_search_etc($1) > + relabelto_files_pattern($1, system_conf_t, system_conf_t) > +') > + > ######################################## > ## > ## Read kernel files in the /boot directory. > diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te > index 07352a5..ec07a47 100644 > --- a/policy/modules/kernel/files.te > +++ b/policy/modules/kernel/files.te > @@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) > type src_t; > files_mountpoint(src_t) > > +# system_conf_t is a new type of various > +# files in /etc/ that can be managed and > +# created by several domains. > +# > +type system_conf_t, configfile; > +files_type(system_conf_t) > +typealias system_conf_t alias iptables_conf_t; > + > # > # system_map_t is for the system.map files in /boot > # > diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te > index 3cce663..57c0f15 100644 > --- a/policy/modules/services/virt.te > +++ b/policy/modules/services/virt.te > @@ -255,6 +255,10 @@ files_search_all(virtd_t) > files_read_kernel_modules(virtd_t) > files_read_usr_src_files(virtd_t) > files_manage_etc_files(virtd_t) > +files_relabelfrom_system_conf_files(virtd_t) > +files_relabelto_system_conf_files(virtd_t) > +files_manage_system_conf_files(virtd_t) > +files_etc_filetrans_system_conf(virtd_t) > > fs_list_auto_mountpoints(virtd_t) > fs_getattr_xattr_fs(virtd_t) > @@ -339,9 +343,6 @@ optional_policy(` > optional_policy(` > iptables_domtrans(virtd_t) > iptables_initrc_domtrans(virtd_t) > - > - # Manages /etc/sysconfig/system-config-firewall > - iptables_manage_config(virtd_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index abab4cf..c038370 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -530,6 +530,8 @@ ifdef(`distro_redhat',` > optional_policy(` > sysnet_rw_dhcp_config(initrc_t) > sysnet_manage_config(initrc_t) > + sysnet_relabelfrom_net_conf(initrc_t) > + sysnet_relabelto_net_conf(initrc_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc > index 13f62a6..e0813a1 100644 > --- a/policy/modules/system/iptables.fc > +++ b/policy/modules/system/iptables.fc > @@ -1,6 +1,4 @@ > /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) > -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) > -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) > > /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) > /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if > index 5c94dfe..68cd2d2 100644 > --- a/policy/modules/system/iptables.if > +++ b/policy/modules/system/iptables.if > @@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',` > > init_labeled_script_domtrans($1, iptables_initrc_exec_t) > ') > - > -##################################### > -## > -## Set the attributes of iptables config files. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`iptables_setattr_config',` > - gen_require(` > - type iptables_conf_t; > - ') > - > - files_search_etc($1) > - allow $1 iptables_conf_t:file setattr; > -') > - > -##################################### > -## > -## Read iptables config files. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`iptables_read_config',` > - gen_require(` > - type iptables_conf_t; > - ') > - > - files_search_etc($1) > - allow $1 iptables_conf_t:dir list_dir_perms; > - read_files_pattern($1, iptables_conf_t, iptables_conf_t) > -') > - > -##################################### > -## > -## Create files in /etc with the type used for > -## the iptables config files. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`iptables_etc_filetrans_config',` > - gen_require(` > - type iptables_conf_t; > - ') > - > - files_etc_filetrans($1, iptables_conf_t, file) > -') > - > -################################### > -## > -## Manage iptables config files. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`iptables_manage_config',` > - gen_require(` > - type iptables_conf_t; > - type etc_t; > - ') > - > - files_search_etc($1) > - manage_files_pattern($1, iptables_conf_t, iptables_conf_t) > -') > diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te > index a3fdcb3..8e644c4 100644 > --- a/policy/modules/system/iptables.te > +++ b/policy/modules/system/iptables.te > @@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms; > allow iptables_t self:process { sigchld sigkill sigstop signull signal }; > allow iptables_t self:rawip_socket create_socket_perms; > > -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) > -files_etc_filetrans(iptables_t, iptables_conf_t, file) > +files_manage_system_conf_files(iptables_t) > +files_etc_filetrans_system_conf(iptables_t) > > manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) > files_pid_filetrans(iptables_t, iptables_var_run_t, file) > diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if > index 9c0faab..565e5bc 100644 > --- a/policy/modules/system/modutils.if > +++ b/policy/modules/system/modutils.if > @@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',` > > ######################################## > ## > +## List the configuration options used when > +## loading modules. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`modutils_list_module_config',` > + gen_require(` > + type modules_conf_t; > + ') > + > + files_search_etc($1) > + list_dirs_pattern($1, modules_conf_t, modules_conf_t) > +') > + > +######################################## > +## > ## Read the configuration options used when > ## loading modules. > ## > diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if > index 8e71fb7..1e4892d 100644 > --- a/policy/modules/system/sysnetwork.if > +++ b/policy/modules/system/sysnetwork.if > @@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',` > ') > ') > > +####################################### > +## > +## Relabel from network configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sysnet_relabelfrom_net_conf',` > + gen_require(` > + type net_conf_t; > + ') > + > + files_search_etc($1) > + allow $1 net_conf_t:file relabelfrom; > +') > + > +###################################### > +## > +## Relabel to network configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`sysnet_relabelto_net_conf',` > + gen_require(` > + type net_conf_t; > + ') > + > + files_search_etc($1) > + allow $1 net_conf_t:file relabelto; > +') > + > ######################################## > ## > ## Connect and use a LDAP server. > diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te > index dfbe736..ab27920 100644 > --- a/policy/modules/system/sysnetwork.te > +++ b/policy/modules/system/sysnetwork.te > @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',` > ') > > optional_policy(` > + brctl_domtrans(ifconfig_t) > +') > + > +optional_policy(` > hal_dontaudit_rw_pipes(ifconfig_t) > hal_dontaudit_rw_dgram_sockets(ifconfig_t) > ') > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com