From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 8 Jun 2017 18:46:03 -0400
Subject: [refpolicy] [PATCH 2/3] iptables: update
In-Reply-To: <CAJ2a_DdX8oGCrTZy0M-fF_Y8a2ySszAA8tC1LSJAPmCB2PjgqQ@mail.gmail.com>
References: <20170608171213.25823-1-cgzones@googlemail.com>
	<20170608171213.25823-2-cgzones@googlemail.com>
	<C6063567-3E1D-4260-B3DE-16B69DAA6E9C@trentalancia.com>
	<D47FE651-43D3-4025-A836-8F316E986CFF@trentalancia.com>
	<CAJ2a_DdX8oGCrTZy0M-fF_Y8a2ySszAA8tC1LSJAPmCB2PjgqQ@mail.gmail.com>
Message-ID: <d99aa293-fd7e-7fee-df6c-7913dfe7628b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/08/2017 01:48 PM, Christian G?ttsche via refpolicy wrote:
> files_read_etc_files(iptables_t) is included in auth_use_nsswitch(iptables_t)

Please don't remove rules just because they are part of 
auth_use_nsswitch().  See other thread for details.


> 2017-06-08 19:46 GMT+02:00 Guido Trentalancia via refpolicy
> <refpolicy@oss.tresys.com>:
>> I was wrong...
>>
>> On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>>>
>>>
>>> On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via
>>> refpolicy" <refpolicy@oss.tresys.com> wrote:
>>>> From: cgzones <cgzones@googlemail.com>
>>>>
>>>> ---
>>>> policy/modules/system/iptables.fc |  6 +++---
>>>> policy/modules/system/iptables.if | 33
>>>> ++++++++++++++++-----------------
>>>> policy/modules/system/iptables.te | 24 +++++++-----------------
>>>> 3 files changed, 26 insertions(+), 37 deletions(-)
>>>>
>>>> diff --git a/policy/modules/system/iptables.fc
>>>> b/policy/modules/system/iptables.fc
>>>> index 181eee95c..60ad98374 100644
>>>> --- a/policy/modules/system/iptables.fc
>>>> +++ b/policy/modules/system/iptables.fc
>>>> @@ -4,6 +4,9 @@
>>>> /etc/sysconfig/ip6?tables.*           --      gen_context(system_u:object_r:iptables_conf_t,s0)
>>>> /etc/sysconfig/system-config-firewall.*       --      gen_context(system_u:object_r:iptables_conf_t,s0)
>>>>
>>>> +/run/ebtables\.lock                  --      gen_context(system_u:object_r:iptables_runtime_t,s0)
>>>> +/run/xtables.*                               --      gen_context(system_u:object_r:iptables_runtime_t,s0)
>>>> +
>>>> /usr/bin/conntrack                    --      gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/bin/ebtables                     --      gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/bin/ebtables-restore             --      gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> @@ -36,6 +39,3 @@
>>>> /usr/sbin/ipvsadm-save                        --      gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/sbin/nft                                --      gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> /usr/sbin/xtables-multi                       --      gen_context(system_u:object_r:iptables_exec_t,s0)
>>>> -
>>>> -/run/ebtables\.lock                  --      gen_context(system_u:object_r:iptables_var_run_t,s0)
>>>> -/run/xtables.*                               --      gen_context(system_u:object_r:iptables_var_run_t,s0)
>>>> diff --git a/policy/modules/system/iptables.if
>>>> b/policy/modules/system/iptables.if
>>>> index 6321f8c4b..7d8f18217 100644
>>>> --- a/policy/modules/system/iptables.if
>>>> +++ b/policy/modules/system/iptables.if
>>>> @@ -1,4 +1,4 @@
>>>> -## <summary>Policy for iptables.</summary>
>>>> +## <summary>Administration tool for IP packet filtering and
>>>> NAT.</summary>
>>>>
>>>> ########################################
>>>> ## <summary>
>>>> @@ -68,7 +68,7 @@ interface(`iptables_exec',`
>>>>      can_exec($1, iptables_exec_t)
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ##   Execute iptables init scripts in
>>>> ##   the init script domain.
>>>> @@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
>>>>      init_labeled_script_domtrans($1, iptables_initrc_exec_t)
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ##   Set the attributes of iptables config files.
>>>> ## </summary>
>>>> @@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
>>>>      allow $1 iptables_conf_t:file setattr;
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ##   Read iptables config files.
>>>> ## </summary>
>>>> @@ -126,7 +126,7 @@ interface(`iptables_read_config',`
>>>>      read_files_pattern($1, iptables_conf_t, iptables_conf_t)
>>>> ')
>>>>
>>>> -#####################################
>>>> +########################################
>>>> ## <summary>
>>>> ##   Create files in /etc with the type used for
>>>> ##   the iptables config files.
>>>> @@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
>>>>      files_etc_filetrans($1, iptables_conf_t, file)
>>>> ')
>>>>
>>>> -###################################
>>>> +########################################
>>>> ## <summary>
>>>> ##   Manage iptables config files.
>>>> ## </summary>
>>>> @@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
>>>>      manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
>>>> ')
>>>>
>>>> -###################################
>>>> +########################################
>>>> ## <summary>
>>>> -##   dontaudit reading iptables_var_run_t
>>>> +##   dontaudit reading iptables_runtime_t
>>>> ## </summary>
>>>> ## <param name="domain">
>>>> ##   <summary>
>>>> @@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
>>>> #
>>>> interface(`iptables_dontaudit_read_pids',`
>>>>      gen_require(`
>>>> -             type iptables_var_run_t;
>>>> +             type iptables_runtime_t;
>>>>      ')
>>>>
>>>> -     dontaudit $1 iptables_var_run_t:file read;
>>>> +     dontaudit $1 iptables_runtime_t:file read;
>>>> ')
>>>>
>>>> ########################################
>>>> @@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
>>>> interface(`iptables_admin',`
>>>>      gen_require(`
>>>>              type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
>>>> -             type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
>>>> +             type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
>>>>      ')
>>>>
>>>> -     allow $1 iptables_t:process { ptrace signal_perms };
>>>> -     ps_process_pattern($1, iptables_t)
>>>> +     admin_process_pattern($1, iptables_t)
>>>>
>>>>      init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t,
>>>> iptables_unit_t)
>>>>
>>>> -     files_list_etc($1)
>>>> +     files_search_etc($1)
>>>>      admin_pattern($1, iptables_conf_t)
>>>>
>>>> -     files_list_tmp($1)
>>>> +     files_search_tmp($1)
>>>>      admin_pattern($1, iptables_tmp_t)
>>>>
>>>> -     files_list_pids($1)
>>>> -     admin_pattern($1, iptables_var_run_t)
>>>> +     files_search_pids($1)
>>>> +     admin_pattern($1, iptables_runtime_t)
>>>> ')
>>>> diff --git a/policy/modules/system/iptables.te
>>>> b/policy/modules/system/iptables.te
>>>> index 5de8db0cb..869e684ea 100644
>>>> --- a/policy/modules/system/iptables.te
>>>> +++ b/policy/modules/system/iptables.te
>>>> @@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
>>>> type iptables_conf_t;
>>>> files_config_file(iptables_conf_t)
>>>>
>>>> +type iptables_runtime_t alias iptables_var_run_t;
>>>> +files_pid_file(iptables_runtime_t)
>>>> +
>>>> type iptables_tmp_t;
>>>> files_tmp_file(iptables_tmp_t)
>>>>
>>>> type iptables_unit_t;
>>>> init_unit_file(iptables_unit_t)
>>>>
>>>> -type iptables_var_run_t;
>>>> -files_pid_file(iptables_var_run_t)
>>>> -
>>>> ########################################
>>>> #
>>>> # Iptables local policy
>>>> @@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket
>>>> create_socket_perms;
>>>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
>>>> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>>>>
>>>> -manage_files_pattern(iptables_t, iptables_var_run_t,
>>>> iptables_var_run_t)
>>>> -files_pid_filetrans(iptables_t, iptables_var_run_t, file)
>>>> -
>>>> can_exec(iptables_t, iptables_exec_t)
>>>>
>>>> +manage_files_pattern(iptables_t, iptables_runtime_t,
>>>> iptables_runtime_t)
>>>> +files_pid_filetrans(iptables_t, iptables_runtime_t, file)
>>>> +
>>>> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
>>>> allow iptables_t iptables_tmp_t:file manage_file_perms;
>>>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>>>>
>>>> -kernel_getattr_proc(iptables_t)
>>>> kernel_request_load_module(iptables_t)
>>>> kernel_read_system_state(iptables_t)
>>>> kernel_read_network_state(iptables_t)
>>>> @@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t)
>>>>
>>>> mls_file_read_all_levels(iptables_t)
>>>>
>>>> -term_dontaudit_use_console(iptables_t)
>>>> -
>>>> domain_use_interactive_fds(iptables_t)
>>>>
>>>> -files_read_etc_files(iptables_t)
>>>
>>> I suspect that if you remove files_read_etc_files() from iptables.te
>>> and leave only files_read_etc_runtime_files(), you also need to create
>>> a more generic file context in kernel/files.fc: instead of just
>>> /etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.*
>>
>> This is not needed because there is the specific iptables_conf_t context...
>>
>>> But I have not tested yet, so I am not 100% sure yet...
>>> files_read_etc_runtime_files(iptables_t)
>>>>
>>>> auth_use_nsswitch(iptables_t)
>>>> @@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t)
>>>> miscfiles_read_localization(iptables_t)
>>>>
>>>> sysnet_run_ifconfig(iptables_t, iptables_roles)
>>>> -sysnet_dns_name_resolve(iptables_t)
>>>>
>>>> -userdom_use_user_terminals(iptables_t)
>>>> -userdom_use_all_users_fds(iptables_t)
>>>> +userdom_use_inherited_user_terminals(iptables_t)
>>>>
>>>> ifdef(`hide_broken_symptoms',`
>>>>      dev_dontaudit_write_mtrr(iptables_t)
>>>> @@ -142,10 +136,6 @@ optional_policy(`
>>>> ')
>>>>
>>>> optional_policy(`
>>>> -     seutil_sigchld_newrole(iptables_t)
>>>> -')
>>>> -
>>>> -optional_policy(`
>>>>      shorewall_read_tmp_files(iptables_t)
>>>>      shorewall_rw_lib_files(iptables_t)
>>>>      shorewall_read_config(iptables_t)
>>>
>>> Regards,
>>>
>>> Guido



-- 
Chris PeBenito