From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=) Date: Thu, 8 Jun 2017 19:48:42 +0200 Subject: [refpolicy] [PATCH 2/3] iptables: update In-Reply-To: References: <20170608171213.25823-1-cgzones@googlemail.com> <20170608171213.25823-2-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com files_read_etc_files(iptables_t) is included in auth_use_nsswitch(iptables_t) 2017-06-08 19:46 GMT+02:00 Guido Trentalancia via refpolicy : > I was wrong... > > On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy wrote: >> >> >>On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via >>refpolicy" wrote: >>>From: cgzones >>> >>>--- >>> policy/modules/system/iptables.fc | 6 +++--- >>>policy/modules/system/iptables.if | 33 >>>++++++++++++++++----------------- >>> policy/modules/system/iptables.te | 24 +++++++----------------- >>> 3 files changed, 26 insertions(+), 37 deletions(-) >>> >>>diff --git a/policy/modules/system/iptables.fc >>>b/policy/modules/system/iptables.fc >>>index 181eee95c..60ad98374 100644 >>>--- a/policy/modules/system/iptables.fc >>>+++ b/policy/modules/system/iptables.fc >>>@@ -4,6 +4,9 @@ >>>/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) >>>/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) >>> >>>+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0) >>>+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0) >>>+ >>>/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>@@ -36,6 +39,3 @@ >>>/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) >>> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>- >>>-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0) >>>-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) >>>diff --git a/policy/modules/system/iptables.if >>>b/policy/modules/system/iptables.if >>>index 6321f8c4b..7d8f18217 100644 >>>--- a/policy/modules/system/iptables.if >>>+++ b/policy/modules/system/iptables.if >>>@@ -1,4 +1,4 @@ >>>-## Policy for iptables. >>>+## Administration tool for IP packet filtering and >>>NAT. >>> >>> ######################################## >>> ## >>>@@ -68,7 +68,7 @@ interface(`iptables_exec',` >>> can_exec($1, iptables_exec_t) >>> ') >>> >>>-##################################### >>>+######################################## >>> ## >>> ## Execute iptables init scripts in >>> ## the init script domain. >>>@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',` >>> init_labeled_script_domtrans($1, iptables_initrc_exec_t) >>> ') >>> >>>-##################################### >>>+######################################## >>> ## >>> ## Set the attributes of iptables config files. >>> ## >>>@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',` >>> allow $1 iptables_conf_t:file setattr; >>> ') >>> >>>-##################################### >>>+######################################## >>> ## >>> ## Read iptables config files. >>> ## >>>@@ -126,7 +126,7 @@ interface(`iptables_read_config',` >>> read_files_pattern($1, iptables_conf_t, iptables_conf_t) >>> ') >>> >>>-##################################### >>>+######################################## >>> ## >>> ## Create files in /etc with the type used for >>> ## the iptables config files. >>>@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',` >>> files_etc_filetrans($1, iptables_conf_t, file) >>> ') >>> >>>-################################### >>>+######################################## >>> ## >>> ## Manage iptables config files. >>> ## >>>@@ -165,9 +165,9 @@ interface(`iptables_manage_config',` >>> manage_files_pattern($1, iptables_conf_t, iptables_conf_t) >>> ') >>> >>>-################################### >>>+######################################## >>> ## >>>-## dontaudit reading iptables_var_run_t >>>+## dontaudit reading iptables_runtime_t >>> ## >>> ## >>> ## >>>@@ -177,10 +177,10 @@ interface(`iptables_manage_config',` >>> # >>> interface(`iptables_dontaudit_read_pids',` >>> gen_require(` >>>- type iptables_var_run_t; >>>+ type iptables_runtime_t; >>> ') >>> >>>- dontaudit $1 iptables_var_run_t:file read; >>>+ dontaudit $1 iptables_runtime_t:file read; >>> ') >>> >>> ######################################## >>>@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',` >>> interface(`iptables_admin',` >>> gen_require(` >>> type iptables_t, iptables_initrc_exec_t, iptables_conf_t; >>>- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t; >>>+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t; >>> ') >>> >>>- allow $1 iptables_t:process { ptrace signal_perms }; >>>- ps_process_pattern($1, iptables_t) >>>+ admin_process_pattern($1, iptables_t) >>> >>> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, >>>iptables_unit_t) >>> >>>- files_list_etc($1) >>>+ files_search_etc($1) >>> admin_pattern($1, iptables_conf_t) >>> >>>- files_list_tmp($1) >>>+ files_search_tmp($1) >>> admin_pattern($1, iptables_tmp_t) >>> >>>- files_list_pids($1) >>>- admin_pattern($1, iptables_var_run_t) >>>+ files_search_pids($1) >>>+ admin_pattern($1, iptables_runtime_t) >>> ') >>>diff --git a/policy/modules/system/iptables.te >>>b/policy/modules/system/iptables.te >>>index 5de8db0cb..869e684ea 100644 >>>--- a/policy/modules/system/iptables.te >>>+++ b/policy/modules/system/iptables.te >>>@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t) >>> type iptables_conf_t; >>> files_config_file(iptables_conf_t) >>> >>>+type iptables_runtime_t alias iptables_var_run_t; >>>+files_pid_file(iptables_runtime_t) >>>+ >>> type iptables_tmp_t; >>> files_tmp_file(iptables_tmp_t) >>> >>> type iptables_unit_t; >>> init_unit_file(iptables_unit_t) >>> >>>-type iptables_var_run_t; >>>-files_pid_file(iptables_var_run_t) >>>- >>> ######################################## >>> # >>> # Iptables local policy >>>@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket >>>create_socket_perms; >>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) >>> files_etc_filetrans(iptables_t, iptables_conf_t, file) >>> >>>-manage_files_pattern(iptables_t, iptables_var_run_t, >>>iptables_var_run_t) >>>-files_pid_filetrans(iptables_t, iptables_var_run_t, file) >>>- >>> can_exec(iptables_t, iptables_exec_t) >>> >>>+manage_files_pattern(iptables_t, iptables_runtime_t, >>>iptables_runtime_t) >>>+files_pid_filetrans(iptables_t, iptables_runtime_t, file) >>>+ >>> allow iptables_t iptables_tmp_t:dir manage_dir_perms; >>> allow iptables_t iptables_tmp_t:file manage_file_perms; >>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) >>> >>>-kernel_getattr_proc(iptables_t) >>> kernel_request_load_module(iptables_t) >>> kernel_read_system_state(iptables_t) >>> kernel_read_network_state(iptables_t) >>>@@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t) >>> >>> mls_file_read_all_levels(iptables_t) >>> >>>-term_dontaudit_use_console(iptables_t) >>>- >>> domain_use_interactive_fds(iptables_t) >>> >>>-files_read_etc_files(iptables_t) >> >>I suspect that if you remove files_read_etc_files() from iptables.te >>and leave only files_read_etc_runtime_files(), you also need to create >>a more generic file context in kernel/files.fc: instead of just >>/etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.* > > This is not needed because there is the specific iptables_conf_t context... > >>But I have not tested yet, so I am not 100% sure yet... >> files_read_etc_runtime_files(iptables_t) >>> >>> auth_use_nsswitch(iptables_t) >>>@@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t) >>> miscfiles_read_localization(iptables_t) >>> >>> sysnet_run_ifconfig(iptables_t, iptables_roles) >>>-sysnet_dns_name_resolve(iptables_t) >>> >>>-userdom_use_user_terminals(iptables_t) >>>-userdom_use_all_users_fds(iptables_t) >>>+userdom_use_inherited_user_terminals(iptables_t) >>> >>> ifdef(`hide_broken_symptoms',` >>> dev_dontaudit_write_mtrr(iptables_t) >>>@@ -142,10 +136,6 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>>- seutil_sigchld_newrole(iptables_t) >>>-') >>>- >>>-optional_policy(` >>> shorewall_read_tmp_files(iptables_t) >>> shorewall_rw_lib_files(iptables_t) >>> shorewall_read_config(iptables_t) >> >>Regards, >> >>Guido >> >>_______________________________________________ >>refpolicy mailing list >>refpolicy at oss.tresys.com >>http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy