From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=) Date: Thu, 8 Jun 2017 19:12:12 +0200 Subject: [refpolicy] [PATCH 2/3] iptables: update In-Reply-To: <20170608171213.25823-1-cgzones@googlemail.com> References: <20170608171213.25823-1-cgzones@googlemail.com> Message-ID: <20170608171213.25823-2-cgzones@googlemail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: cgzones --- policy/modules/system/iptables.fc | 6 +++--- policy/modules/system/iptables.if | 33 ++++++++++++++++----------------- policy/modules/system/iptables.te | 24 +++++++----------------- 3 files changed, 26 insertions(+), 37 deletions(-) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index 181eee95c..60ad98374 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -4,6 +4,9 @@ /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0) +/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0) + /usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -36,6 +39,3 @@ /usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - -/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0) -/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 6321f8c4b..7d8f18217 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -1,4 +1,4 @@ -## Policy for iptables. +## Administration tool for IP packet filtering and NAT. ######################################## ## @@ -68,7 +68,7 @@ interface(`iptables_exec',` can_exec($1, iptables_exec_t) ') -##################################### +######################################## ## ## Execute iptables init scripts in ## the init script domain. @@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',` init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') -##################################### +######################################## ## ## Set the attributes of iptables config files. ## @@ -106,7 +106,7 @@ interface(`iptables_setattr_config',` allow $1 iptables_conf_t:file setattr; ') -##################################### +######################################## ## ## Read iptables config files. ## @@ -126,7 +126,7 @@ interface(`iptables_read_config',` read_files_pattern($1, iptables_conf_t, iptables_conf_t) ') -##################################### +######################################## ## ## Create files in /etc with the type used for ## the iptables config files. @@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',` files_etc_filetrans($1, iptables_conf_t, file) ') -################################### +######################################## ## ## Manage iptables config files. ## @@ -165,9 +165,9 @@ interface(`iptables_manage_config',` manage_files_pattern($1, iptables_conf_t, iptables_conf_t) ') -################################### +######################################## ## -## dontaudit reading iptables_var_run_t +## dontaudit reading iptables_runtime_t ## ## ## @@ -177,10 +177,10 @@ interface(`iptables_manage_config',` # interface(`iptables_dontaudit_read_pids',` gen_require(` - type iptables_var_run_t; + type iptables_runtime_t; ') - dontaudit $1 iptables_var_run_t:file read; + dontaudit $1 iptables_runtime_t:file read; ') ######################################## @@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',` interface(`iptables_admin',` gen_require(` type iptables_t, iptables_initrc_exec_t, iptables_conf_t; - type iptables_tmp_t, iptables_var_run_t, iptables_unit_t; + type iptables_tmp_t, iptables_runtime_t, iptables_unit_t; ') - allow $1 iptables_t:process { ptrace signal_perms }; - ps_process_pattern($1, iptables_t) + admin_process_pattern($1, iptables_t) init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t) - files_list_etc($1) + files_search_etc($1) admin_pattern($1, iptables_conf_t) - files_list_tmp($1) + files_search_tmp($1) admin_pattern($1, iptables_tmp_t) - files_list_pids($1) - admin_pattern($1, iptables_var_run_t) + files_search_pids($1) + admin_pattern($1, iptables_runtime_t) ') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 5de8db0cb..869e684ea 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t) type iptables_conf_t; files_config_file(iptables_conf_t) +type iptables_runtime_t alias iptables_var_run_t; +files_pid_file(iptables_runtime_t) + type iptables_tmp_t; files_tmp_file(iptables_tmp_t) type iptables_unit_t; init_unit_file(iptables_unit_t) -type iptables_var_run_t; -files_pid_file(iptables_var_run_t) - ######################################## # # Iptables local policy @@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms; manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) files_etc_filetrans(iptables_t, iptables_conf_t, file) -manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) -files_pid_filetrans(iptables_t, iptables_var_run_t, file) - can_exec(iptables_t, iptables_exec_t) +manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t) +files_pid_filetrans(iptables_t, iptables_runtime_t, file) + allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) -kernel_getattr_proc(iptables_t) kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) @@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) -term_dontaudit_use_console(iptables_t) - domain_use_interactive_fds(iptables_t) -files_read_etc_files(iptables_t) files_read_etc_runtime_files(iptables_t) auth_use_nsswitch(iptables_t) @@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t) miscfiles_read_localization(iptables_t) sysnet_run_ifconfig(iptables_t, iptables_roles) -sysnet_dns_name_resolve(iptables_t) -userdom_use_user_terminals(iptables_t) -userdom_use_all_users_fds(iptables_t) +userdom_use_inherited_user_terminals(iptables_t) ifdef(`hide_broken_symptoms',` dev_dontaudit_write_mtrr(iptables_t) @@ -142,10 +136,6 @@ optional_policy(` ') optional_policy(` - seutil_sigchld_newrole(iptables_t) -') - -optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) shorewall_read_config(iptables_t) -- 2.11.0