From: dac.override@gmail.com (Dominick Grift) Date: Mon, 8 Jun 2015 11:45:21 +0200 Subject: [refpolicy] [PATCH 1/3] Introduce iptables_admin In-Reply-To: <1433755763-30704-1-git-send-email-jason@perfinion.com> References: <1433755763-30704-1-git-send-email-jason@perfinion.com> Message-ID: <20150608094520.GA12054@x131e> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Jun 08, 2015 at 01:29:21PM +0400, Jason Zaman wrote: > --- > policy/modules/roles/sysadm.te | 2 +- > policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++ > 2 files changed, 40 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 8219dea..55e0179 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -178,7 +178,7 @@ optional_policy(` > ') > > optional_policy(` > - iptables_run(sysadm_t, sysadm_r) > + iptables_admin(sysadm_t, sysadm_r) > ') Why remove iptables_run()? > > optional_policy(` > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if > index c42fbc3..26ce647 100644 > --- a/policy/modules/system/iptables.if > +++ b/policy/modules/system/iptables.if > @@ -163,3 +163,42 @@ interface(`iptables_manage_config',` > files_search_etc($1) > manage_files_pattern($1, iptables_conf_t, iptables_conf_t) > ') > + > +######################################## > +##

> +## All of the rules required to > +## administrate an iptables > +## environment. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +## > +##

> +## Role allowed access. > +##

> +## > +## > +# > +interface(`iptables_admin',` > + gen_require(` > + type iptables_t, iptables_initrc_exec_t, iptables_conf_t; > + type iptables_tmp_t, iptables_var_run_t; > + ') > + > + allow $1 iptables_t:process { ptrace signal_perms }; > + ps_process_pattern($1, iptables_t) > + > + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t) > + > + files_list_etc($1) > + admin_pattern($1, iptables_conf_t) > + > + files_list_tmp($1) > + admin_pattern($1, iptables_tmp_t) > + > + files_list_pids($1) > + admin_pattern($1, iptables_var_run_t) > +') > -- > 2.3.6 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150608/c103ea4c/attachment.bin