From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 10 Nov 2012 17:52:04 +0100
Subject: [refpolicy] [PATCH 2/2] Run ipset in iptables domain
In-Reply-To: <1352566324-17831-1-git-send-email-sven.vermeulen@siphos.be>
References: <1352566324-17831-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1352566324-17831-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/iptables.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 14cffd2..1b93eb7 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -15,6 +15,7 @@
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-- 
1.7.8.6