From: guido@trentalancia.com (Guido Trentalancia)
Date: Thu, 08 Jun 2017 19:46:31 +0200
Subject: [refpolicy] [PATCH 2/3] iptables: update
In-Reply-To: <C6063567-3E1D-4260-B3DE-16B69DAA6E9C@trentalancia.com>
References: <20170608171213.25823-1-cgzones@googlemail.com>
	<20170608171213.25823-2-cgzones@googlemail.com>
	<C6063567-3E1D-4260-B3DE-16B69DAA6E9C@trentalancia.com>
Message-ID: <D47FE651-43D3-4025-A836-8F316E986CFF@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I was wrong... 

On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>
>
>On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via
>refpolicy" <refpolicy@oss.tresys.com> wrote:
>>From: cgzones <cgzones@googlemail.com>
>>
>>---
>> policy/modules/system/iptables.fc |  6 +++---
>>policy/modules/system/iptables.if | 33
>>++++++++++++++++-----------------
>> policy/modules/system/iptables.te | 24 +++++++-----------------
>> 3 files changed, 26 insertions(+), 37 deletions(-)
>>
>>diff --git a/policy/modules/system/iptables.fc
>>b/policy/modules/system/iptables.fc
>>index 181eee95c..60ad98374 100644
>>--- a/policy/modules/system/iptables.fc
>>+++ b/policy/modules/system/iptables.fc
>>@@ -4,6 +4,9 @@
>>/etc/sysconfig/ip6?tables.*		--	gen_context(system_u:object_r:iptables_conf_t,s0)
>>/etc/sysconfig/system-config-firewall.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
>> 
>>+/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_runtime_t,s0)
>>+/run/xtables.*				--	gen_context(system_u:object_r:iptables_runtime_t,s0)
>>+
>>/usr/bin/conntrack			--	gen_context(system_u:object_r:iptables_exec_t,s0)
>>/usr/bin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
>>/usr/bin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
>>@@ -36,6 +39,3 @@
>>/usr/sbin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
>> /usr/sbin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
>>/usr/sbin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
>>-
>>-/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_var_run_t,s0)
>>-/run/xtables.*				--	gen_context(system_u:object_r:iptables_var_run_t,s0)
>>diff --git a/policy/modules/system/iptables.if
>>b/policy/modules/system/iptables.if
>>index 6321f8c4b..7d8f18217 100644
>>--- a/policy/modules/system/iptables.if
>>+++ b/policy/modules/system/iptables.if
>>@@ -1,4 +1,4 @@
>>-## <summary>Policy for iptables.</summary>
>>+## <summary>Administration tool for IP packet filtering and
>>NAT.</summary>
>> 
>> ########################################
>> ## <summary>
>>@@ -68,7 +68,7 @@ interface(`iptables_exec',`
>> 	can_exec($1, iptables_exec_t)
>> ')
>> 
>>-#####################################
>>+########################################
>> ## <summary>
>> ##	Execute iptables init scripts in
>> ##	the init script domain.
>>@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
>> 	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
>> ')
>> 
>>-#####################################
>>+########################################
>> ## <summary>
>> ##	Set the attributes of iptables config files.
>> ## </summary>
>>@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
>> 	allow $1 iptables_conf_t:file setattr;
>> ')
>> 
>>-#####################################
>>+########################################
>> ## <summary>
>> ##	Read iptables config files.
>> ## </summary>
>>@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
>> 	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
>> ')
>> 
>>-#####################################
>>+########################################
>> ## <summary>
>> ##	Create files in /etc with the type used for
>> ##	the iptables config files.
>>@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
>> 	files_etc_filetrans($1, iptables_conf_t, file)
>> ')
>> 
>>-###################################
>>+########################################
>> ## <summary>
>> ##	Manage iptables config files.
>> ## </summary>
>>@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
>> 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>> ')
>> 
>>-###################################
>>+########################################
>> ## <summary>
>>-##	dontaudit reading iptables_var_run_t
>>+##	dontaudit reading iptables_runtime_t
>> ## </summary>
>> ## <param name="domain">
>> ##	<summary>
>>@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
>> #
>> interface(`iptables_dontaudit_read_pids',`
>> 	gen_require(`
>>-		type iptables_var_run_t;
>>+		type iptables_runtime_t;
>> 	')
>> 
>>-	dontaudit $1 iptables_var_run_t:file read;
>>+	dontaudit $1 iptables_runtime_t:file read;
>> ')
>> 
>> ########################################
>>@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
>> interface(`iptables_admin',`
>> 	gen_require(`
>> 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
>>-		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
>>+		type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
>> 	')
>> 
>>-	allow $1 iptables_t:process { ptrace signal_perms };
>>-	ps_process_pattern($1, iptables_t)
>>+	admin_process_pattern($1, iptables_t)
>> 
>>	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t,
>>iptables_unit_t)
>> 
>>-	files_list_etc($1)
>>+	files_search_etc($1)
>> 	admin_pattern($1, iptables_conf_t)
>> 
>>-	files_list_tmp($1)
>>+	files_search_tmp($1)
>> 	admin_pattern($1, iptables_tmp_t)
>> 
>>-	files_list_pids($1)
>>-	admin_pattern($1, iptables_var_run_t)
>>+	files_search_pids($1)
>>+	admin_pattern($1, iptables_runtime_t)
>> ')
>>diff --git a/policy/modules/system/iptables.te
>>b/policy/modules/system/iptables.te
>>index 5de8db0cb..869e684ea 100644
>>--- a/policy/modules/system/iptables.te
>>+++ b/policy/modules/system/iptables.te
>>@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
>> type iptables_conf_t;
>> files_config_file(iptables_conf_t)
>> 
>>+type iptables_runtime_t alias iptables_var_run_t;
>>+files_pid_file(iptables_runtime_t)
>>+
>> type iptables_tmp_t;
>> files_tmp_file(iptables_tmp_t)
>> 
>> type iptables_unit_t;
>> init_unit_file(iptables_unit_t)
>> 
>>-type iptables_var_run_t;
>>-files_pid_file(iptables_var_run_t)
>>-
>> ########################################
>> #
>> # Iptables local policy
>>@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket
>>create_socket_perms;
>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
>> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>> 
>>-manage_files_pattern(iptables_t, iptables_var_run_t,
>>iptables_var_run_t)
>>-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
>>-
>> can_exec(iptables_t, iptables_exec_t)
>> 
>>+manage_files_pattern(iptables_t, iptables_runtime_t,
>>iptables_runtime_t)
>>+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
>>+
>> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
>> allow iptables_t iptables_tmp_t:file manage_file_perms;
>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>> 
>>-kernel_getattr_proc(iptables_t)
>> kernel_request_load_module(iptables_t)
>> kernel_read_system_state(iptables_t)
>> kernel_read_network_state(iptables_t)
>>@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
>> 
>> mls_file_read_all_levels(iptables_t)
>> 
>>-term_dontaudit_use_console(iptables_t)
>>-
>> domain_use_interactive_fds(iptables_t)
>> 
>>-files_read_etc_files(iptables_t)
>
>I suspect that if you remove files_read_etc_files() from iptables.te
>and leave only files_read_etc_runtime_files(), you also need to create
>a more generic file context in kernel/files.fc: instead of just
>/etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.*

This is not needed because there is the specific iptables_conf_t context... 

>But I have not tested yet, so I am not 100% sure yet...
> files_read_etc_runtime_files(iptables_t)
>> 
>> auth_use_nsswitch(iptables_t)
>>@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
>> miscfiles_read_localization(iptables_t)
>> 
>> sysnet_run_ifconfig(iptables_t, iptables_roles)
>>-sysnet_dns_name_resolve(iptables_t)
>> 
>>-userdom_use_user_terminals(iptables_t)
>>-userdom_use_all_users_fds(iptables_t)
>>+userdom_use_inherited_user_terminals(iptables_t)
>> 
>> ifdef(`hide_broken_symptoms',`
>> 	dev_dontaudit_write_mtrr(iptables_t)
>>@@ -142,10 +136,6 @@ optional_policy(`
>> ')
>> 
>> optional_policy(`
>>-	seutil_sigchld_newrole(iptables_t)
>>-')
>>-
>>-optional_policy(`
>> 	shorewall_read_tmp_files(iptables_t)
>> 	shorewall_rw_lib_files(iptables_t)
>> 	shorewall_read_config(iptables_t)
>
>Regards, 
>
>Guido 
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy