From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 08 Jun 2017 19:46:31 +0200 Subject: [refpolicy] [PATCH 2/3] iptables: update In-Reply-To: References: <20170608171213.25823-1-cgzones@googlemail.com> <20170608171213.25823-2-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I was wrong... On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy wrote: > > >On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via >refpolicy" wrote: >>From: cgzones >> >>--- >> policy/modules/system/iptables.fc | 6 +++--- >>policy/modules/system/iptables.if | 33 >>++++++++++++++++----------------- >> policy/modules/system/iptables.te | 24 +++++++----------------- >> 3 files changed, 26 insertions(+), 37 deletions(-) >> >>diff --git a/policy/modules/system/iptables.fc >>b/policy/modules/system/iptables.fc >>index 181eee95c..60ad98374 100644 >>--- a/policy/modules/system/iptables.fc >>+++ b/policy/modules/system/iptables.fc >>@@ -4,6 +4,9 @@ >>/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) >>/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) >> >>+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0) >>+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0) >>+ >>/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) >>/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) >>/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) >>@@ -36,6 +39,3 @@ >>/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) >> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) >>/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) >>- >>-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0) >>-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) >>diff --git a/policy/modules/system/iptables.if >>b/policy/modules/system/iptables.if >>index 6321f8c4b..7d8f18217 100644 >>--- a/policy/modules/system/iptables.if >>+++ b/policy/modules/system/iptables.if >>@@ -1,4 +1,4 @@ >>-## Policy for iptables. >>+## Administration tool for IP packet filtering and >>NAT. >> >> ######################################## >> ## >>@@ -68,7 +68,7 @@ interface(`iptables_exec',` >> can_exec($1, iptables_exec_t) >> ') >> >>-##################################### >>+######################################## >> ## >> ## Execute iptables init scripts in >> ## the init script domain. >>@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',` >> init_labeled_script_domtrans($1, iptables_initrc_exec_t) >> ') >> >>-##################################### >>+######################################## >> ## >> ## Set the attributes of iptables config files. >> ## >>@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',` >> allow $1 iptables_conf_t:file setattr; >> ') >> >>-##################################### >>+######################################## >> ## >> ## Read iptables config files. >> ## >>@@ -126,7 +126,7 @@ interface(`iptables_read_config',` >> read_files_pattern($1, iptables_conf_t, iptables_conf_t) >> ') >> >>-##################################### >>+######################################## >> ## >> ## Create files in /etc with the type used for >> ## the iptables config files. >>@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',` >> files_etc_filetrans($1, iptables_conf_t, file) >> ') >> >>-################################### >>+######################################## >> ## >> ## Manage iptables config files. >> ## >>@@ -165,9 +165,9 @@ interface(`iptables_manage_config',` >> manage_files_pattern($1, iptables_conf_t, iptables_conf_t) >> ') >> >>-################################### >>+######################################## >> ## >>-## dontaudit reading iptables_var_run_t >>+## dontaudit reading iptables_runtime_t >> ## >> ## >> ## >>@@ -177,10 +177,10 @@ interface(`iptables_manage_config',` >> # >> interface(`iptables_dontaudit_read_pids',` >> gen_require(` >>- type iptables_var_run_t; >>+ type iptables_runtime_t; >> ') >> >>- dontaudit $1 iptables_var_run_t:file read; >>+ dontaudit $1 iptables_runtime_t:file read; >> ') >> >> ######################################## >>@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',` >> interface(`iptables_admin',` >> gen_require(` >> type iptables_t, iptables_initrc_exec_t, iptables_conf_t; >>- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t; >>+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t; >> ') >> >>- allow $1 iptables_t:process { ptrace signal_perms }; >>- ps_process_pattern($1, iptables_t) >>+ admin_process_pattern($1, iptables_t) >> >> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, >>iptables_unit_t) >> >>- files_list_etc($1) >>+ files_search_etc($1) >> admin_pattern($1, iptables_conf_t) >> >>- files_list_tmp($1) >>+ files_search_tmp($1) >> admin_pattern($1, iptables_tmp_t) >> >>- files_list_pids($1) >>- admin_pattern($1, iptables_var_run_t) >>+ files_search_pids($1) >>+ admin_pattern($1, iptables_runtime_t) >> ') >>diff --git a/policy/modules/system/iptables.te >>b/policy/modules/system/iptables.te >>index 5de8db0cb..869e684ea 100644 >>--- a/policy/modules/system/iptables.te >>+++ b/policy/modules/system/iptables.te >>@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t) >> type iptables_conf_t; >> files_config_file(iptables_conf_t) >> >>+type iptables_runtime_t alias iptables_var_run_t; >>+files_pid_file(iptables_runtime_t) >>+ >> type iptables_tmp_t; >> files_tmp_file(iptables_tmp_t) >> >> type iptables_unit_t; >> init_unit_file(iptables_unit_t) >> >>-type iptables_var_run_t; >>-files_pid_file(iptables_var_run_t) >>- >> ######################################## >> # >> # Iptables local policy >>@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket >>create_socket_perms; >> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) >> files_etc_filetrans(iptables_t, iptables_conf_t, file) >> >>-manage_files_pattern(iptables_t, iptables_var_run_t, >>iptables_var_run_t) >>-files_pid_filetrans(iptables_t, iptables_var_run_t, file) >>- >> can_exec(iptables_t, iptables_exec_t) >> >>+manage_files_pattern(iptables_t, iptables_runtime_t, >>iptables_runtime_t) >>+files_pid_filetrans(iptables_t, iptables_runtime_t, file) >>+ >> allow iptables_t iptables_tmp_t:dir manage_dir_perms; >> allow iptables_t iptables_tmp_t:file manage_file_perms; >> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) >> >>-kernel_getattr_proc(iptables_t) >> kernel_request_load_module(iptables_t) >> kernel_read_system_state(iptables_t) >> kernel_read_network_state(iptables_t) >>@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t) >> >> mls_file_read_all_levels(iptables_t) >> >>-term_dontaudit_use_console(iptables_t) >>- >> domain_use_interactive_fds(iptables_t) >> >>-files_read_etc_files(iptables_t) > >I suspect that if you remove files_read_etc_files() from iptables.te >and leave only files_read_etc_runtime_files(), you also need to create >a more generic file context in kernel/files.fc: instead of just >/etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.* This is not needed because there is the specific iptables_conf_t context... >But I have not tested yet, so I am not 100% sure yet... > files_read_etc_runtime_files(iptables_t) >> >> auth_use_nsswitch(iptables_t) >>@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t) >> miscfiles_read_localization(iptables_t) >> >> sysnet_run_ifconfig(iptables_t, iptables_roles) >>-sysnet_dns_name_resolve(iptables_t) >> >>-userdom_use_user_terminals(iptables_t) >>-userdom_use_all_users_fds(iptables_t) >>+userdom_use_inherited_user_terminals(iptables_t) >> >> ifdef(`hide_broken_symptoms',` >> dev_dontaudit_write_mtrr(iptables_t) >>@@ -142,10 +136,6 @@ optional_policy(` >> ') >> >> optional_policy(` >>- seutil_sigchld_newrole(iptables_t) >>-') >>- >>-optional_policy(` >> shorewall_read_tmp_files(iptables_t) >> shorewall_rw_lib_files(iptables_t) >> shorewall_read_config(iptables_t) > >Regards, > >Guido > >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy