From: jason@perfinion.com (Jason Zaman)
Date: Tue, 9 Jun 2015 00:38:21 +0400
Subject: [refpolicy] [PATCH v2 1/2] Introduce iptables_admin
Message-ID: <1433795902-12448-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
policy/modules/roles/sysadm.te | 1 +
policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8219dea..f9919fd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -178,6 +178,7 @@ optional_policy(`
')
optional_policy(`
+ iptables_admin(sysadm_t, sysadm_r)
iptables_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index c42fbc3..26ce647 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
files_search_etc($1)
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
+
+########################################
+##
+## All of the rules required to
+## administrate an iptables
+## environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`iptables_admin',`
+ gen_require(`
+ type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
+ type iptables_tmp_t, iptables_var_run_t;
+ ')
+
+ allow $1 iptables_t:process { ptrace signal_perms };
+ ps_process_pattern($1, iptables_t)
+
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+
+ files_list_etc($1)
+ admin_pattern($1, iptables_conf_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, iptables_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, iptables_var_run_t)
+')
--
2.3.6