From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 9 Jun 2015 08:40:39 -0400
Subject: [refpolicy] [PATCH v2 1/2] Introduce iptables_admin
In-Reply-To: <1433795902-12448-1-git-send-email-jason@perfinion.com>
References: <1433795902-12448-1-git-send-email-jason@perfinion.com>
Message-ID: <5576DEC7.2080606@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 6/8/2015 4:38 PM, Jason Zaman wrote:
> ---
>  policy/modules/roles/sysadm.te    |  1 +
>  policy/modules/system/iptables.if | 39 +++++++++++++++++++++++++++++++++++++++
>  2 files changed, 40 insertions(+)

Merged.



> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8219dea..f9919fd 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -178,6 +178,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	iptables_admin(sysadm_t, sysadm_r)
>  	iptables_run(sysadm_t, sysadm_r)
>  ')
>  
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index c42fbc3..26ce647 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
>  	files_search_etc($1)
>  	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>  ')
> +
> +########################################
> +## <summary>
> +##	All of the rules required to
> +##	administrate an iptables
> +##	environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`iptables_admin',`
> +	gen_require(`
> +		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> +		type iptables_tmp_t, iptables_var_run_t;
> +	')
> +
> +	allow $1 iptables_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, iptables_t)
> +
> +	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
> +
> +	files_list_etc($1)
> +	admin_pattern($1, iptables_conf_t)
> +
> +	files_list_tmp($1)
> +	admin_pattern($1, iptables_tmp_t)
> +
> +	files_list_pids($1)
> +	admin_pattern($1, iptables_var_run_t)
> +')
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com