From: jason@perfinion.com (Jason Zaman)
Date: Mon, 8 Jun 2015 14:33:03 +0400
Subject: [refpolicy] [PATCH 1/3] Introduce iptables_admin
In-Reply-To: <20150608094520.GA12054@x131e>
References: <1433755763-30704-1-git-send-email-jason@perfinion.com>
	<20150608094520.GA12054@x131e>
Message-ID: <20150608103235.GA32501@meriadoc.Home>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jun 08, 2015 at 11:45:21AM +0200, Dominick Grift wrote:
> On Mon, Jun 08, 2015 at 01:29:21PM +0400, Jason Zaman wrote:
> > ---
> >  policy/modules/roles/sysadm.te    |  2 +-
> >  policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 40 insertions(+), 1 deletion(-)
> > 
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 8219dea..55e0179 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -178,7 +178,7 @@ optional_policy(`
> >  ')
> >  
> >  optional_policy(`
> > -	iptables_run(sysadm_t, sysadm_r)
> > +	iptables_admin(sysadm_t, sysadm_r)
> >  ')
> 
> Why remove iptables_run()?

Hmm, good point. I'll add that back in v2.

I'll wait a little while longer for other comments before sending v2.
Did you find any other issues in the rest of the patches?

-- Jason

> 
> >  
> >  optional_policy(`
> > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> > index c42fbc3..26ce647 100644
> > --- a/policy/modules/system/iptables.if
> > +++ b/policy/modules/system/iptables.if
> > @@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
> >  	files_search_etc($1)
> >  	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> >  ')
> > +
> > +########################################
> > +## <summary>
> > +##	All of the rules required to
> > +##	administrate an iptables
> > +##	environment.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="role">
> > +##	<summary>
> > +##	Role allowed access.
> > +##	</summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`iptables_admin',`
> > +	gen_require(`
> > +		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> > +		type iptables_tmp_t, iptables_var_run_t;
> > +	')
> > +
> > +	allow $1 iptables_t:process { ptrace signal_perms };
> > +	ps_process_pattern($1, iptables_t)
> > +
> > +	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
> > +
> > +	files_list_etc($1)
> > +	admin_pattern($1, iptables_conf_t)
> > +
> > +	files_list_tmp($1)
> > +	admin_pattern($1, iptables_tmp_t)
> > +
> > +	files_list_pids($1)
> > +	admin_pattern($1, iptables_var_run_t)
> > +')
> > -- 
> > 2.3.6
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift



> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy