From: dac.override@gmail.com (Dominick Grift) Date: Mon, 8 Jun 2015 12:37:58 +0200 Subject: [refpolicy] [PATCH 1/3] Introduce iptables_admin In-Reply-To: <20150608103235.GA32501@meriadoc.Home> References: <1433755763-30704-1-git-send-email-jason@perfinion.com> <20150608094520.GA12054@x131e> <20150608103235.GA32501@meriadoc.Home> Message-ID: <20150608103757.GB12054@x131e> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Jun 08, 2015 at 02:33:03PM +0400, Jason Zaman wrote: > On Mon, Jun 08, 2015 at 11:45:21AM +0200, Dominick Grift wrote: > > On Mon, Jun 08, 2015 at 01:29:21PM +0400, Jason Zaman wrote: > > > --- > > > policy/modules/roles/sysadm.te | 2 +- > > > policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++ > > > 2 files changed, 40 insertions(+), 1 deletion(-) > > > > > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > > > index 8219dea..55e0179 100644 > > > --- a/policy/modules/roles/sysadm.te > > > +++ b/policy/modules/roles/sysadm.te > > > @@ -178,7 +178,7 @@ optional_policy(` > > > ') > > > > > > optional_policy(` > > > - iptables_run(sysadm_t, sysadm_r) > > > + iptables_admin(sysadm_t, sysadm_r) > > > ') > > > > Why remove iptables_run()? > > Hmm, good point. I'll add that back in v2. > > I'll wait a little while longer for other comments before sending v2. > Did you find any other issues in the rest of the patches? I think i saw similar instances in your other patches where run interfaces were removed. > > -- Jason > > > > > > > > > optional_policy(` > > > diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if > > > index c42fbc3..26ce647 100644 > > > --- a/policy/modules/system/iptables.if > > > +++ b/policy/modules/system/iptables.if > > > @@ -163,3 +163,42 @@ interface(`iptables_manage_config',` > > > files_search_etc($1) > > > manage_files_pattern($1, iptables_conf_t, iptables_conf_t) > > > ') > > > + > > > +######################################## > > > +##

> > > +## All of the rules required to > > > +## administrate an iptables > > > +## environment. > > > +##

> > > +## > > > +##

> > > +## Domain allowed access. > > > +##

> > > +## > > > +## > > > +##

> > > +## Role allowed access. > > > +##

> > > +## > > > +## > > > +# > > > +interface(`iptables_admin',` > > > + gen_require(` > > > + type iptables_t, iptables_initrc_exec_t, iptables_conf_t; > > > + type iptables_tmp_t, iptables_var_run_t; > > > + ') > > > + > > > + allow $1 iptables_t:process { ptrace signal_perms }; > > > + ps_process_pattern($1, iptables_t) > > > + > > > + init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t) > > > + > > > + files_list_etc($1) > > > + admin_pattern($1, iptables_conf_t) > > > + > > > + files_list_tmp($1) > > > + admin_pattern($1, iptables_tmp_t) > > > + > > > + files_list_pids($1) > > > + admin_pattern($1, iptables_var_run_t) > > > +') > > > -- > > > 2.3.6 > > > > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > -- > > 02DFF788 > > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > > http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 > > Dominick Grift > > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150608/70c652bd/attachment.bin