From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 8 Jun 2017 18:46:03 -0400 Subject: [refpolicy] [PATCH 2/3] iptables: update In-Reply-To: References: <20170608171213.25823-1-cgzones@googlemail.com> <20170608171213.25823-2-cgzones@googlemail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/08/2017 01:48 PM, Christian G?ttsche via refpolicy wrote: > files_read_etc_files(iptables_t) is included in auth_use_nsswitch(iptables_t) Please don't remove rules just because they are part of auth_use_nsswitch(). See other thread for details. > 2017-06-08 19:46 GMT+02:00 Guido Trentalancia via refpolicy > : >> I was wrong... >> >> On the 8th of June 2017 19:38:49 CEST, Guido Trentalancia via refpolicy wrote: >>> >>> >>> On the 8th of June 2017 19:12:12 CEST, "Christian G?ttsche via >>> refpolicy" wrote: >>>> From: cgzones >>>> >>>> --- >>>> policy/modules/system/iptables.fc | 6 +++--- >>>> policy/modules/system/iptables.if | 33 >>>> ++++++++++++++++----------------- >>>> policy/modules/system/iptables.te | 24 +++++++----------------- >>>> 3 files changed, 26 insertions(+), 37 deletions(-) >>>> >>>> diff --git a/policy/modules/system/iptables.fc >>>> b/policy/modules/system/iptables.fc >>>> index 181eee95c..60ad98374 100644 >>>> --- a/policy/modules/system/iptables.fc >>>> +++ b/policy/modules/system/iptables.fc >>>> @@ -4,6 +4,9 @@ >>>> /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) >>>> /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) >>>> >>>> +/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0) >>>> +/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0) >>>> + >>>> /usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>> /usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>> /usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>> @@ -36,6 +39,3 @@ >>>> /usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>> /usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) >>>> - >>>> -/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0) >>>> -/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) >>>> diff --git a/policy/modules/system/iptables.if >>>> b/policy/modules/system/iptables.if >>>> index 6321f8c4b..7d8f18217 100644 >>>> --- a/policy/modules/system/iptables.if >>>> +++ b/policy/modules/system/iptables.if >>>> @@ -1,4 +1,4 @@ >>>> -## Policy for iptables. >>>> +## Administration tool for IP packet filtering and >>>> NAT. >>>> >>>> ######################################## >>>> ## >>>> @@ -68,7 +68,7 @@ interface(`iptables_exec',` >>>> can_exec($1, iptables_exec_t) >>>> ') >>>> >>>> -##################################### >>>> +######################################## >>>> ## >>>> ## Execute iptables init scripts in >>>> ## the init script domain. >>>> @@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',` >>>> init_labeled_script_domtrans($1, iptables_initrc_exec_t) >>>> ') >>>> >>>> -##################################### >>>> +######################################## >>>> ## >>>> ## Set the attributes of iptables config files. >>>> ## >>>> @@ -106,7 +106,7 @@ interface(`iptables_setattr_config',` >>>> allow $1 iptables_conf_t:file setattr; >>>> ') >>>> >>>> -##################################### >>>> +######################################## >>>> ## >>>> ## Read iptables config files. >>>> ## >>>> @@ -126,7 +126,7 @@ interface(`iptables_read_config',` >>>> read_files_pattern($1, iptables_conf_t, iptables_conf_t) >>>> ') >>>> >>>> -##################################### >>>> +######################################## >>>> ## >>>> ## Create files in /etc with the type used for >>>> ## the iptables config files. >>>> @@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',` >>>> files_etc_filetrans($1, iptables_conf_t, file) >>>> ') >>>> >>>> -################################### >>>> +######################################## >>>> ## >>>> ## Manage iptables config files. >>>> ## >>>> @@ -165,9 +165,9 @@ interface(`iptables_manage_config',` >>>> manage_files_pattern($1, iptables_conf_t, iptables_conf_t) >>>> ') >>>> >>>> -################################### >>>> +######################################## >>>> ## >>>> -## dontaudit reading iptables_var_run_t >>>> +## dontaudit reading iptables_runtime_t >>>> ## >>>> ## >>>> ## >>>> @@ -177,10 +177,10 @@ interface(`iptables_manage_config',` >>>> # >>>> interface(`iptables_dontaudit_read_pids',` >>>> gen_require(` >>>> - type iptables_var_run_t; >>>> + type iptables_runtime_t; >>>> ') >>>> >>>> - dontaudit $1 iptables_var_run_t:file read; >>>> + dontaudit $1 iptables_runtime_t:file read; >>>> ') >>>> >>>> ######################################## >>>> @@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',` >>>> interface(`iptables_admin',` >>>> gen_require(` >>>> type iptables_t, iptables_initrc_exec_t, iptables_conf_t; >>>> - type iptables_tmp_t, iptables_var_run_t, iptables_unit_t; >>>> + type iptables_tmp_t, iptables_runtime_t, iptables_unit_t; >>>> ') >>>> >>>> - allow $1 iptables_t:process { ptrace signal_perms }; >>>> - ps_process_pattern($1, iptables_t) >>>> + admin_process_pattern($1, iptables_t) >>>> >>>> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, >>>> iptables_unit_t) >>>> >>>> - files_list_etc($1) >>>> + files_search_etc($1) >>>> admin_pattern($1, iptables_conf_t) >>>> >>>> - files_list_tmp($1) >>>> + files_search_tmp($1) >>>> admin_pattern($1, iptables_tmp_t) >>>> >>>> - files_list_pids($1) >>>> - admin_pattern($1, iptables_var_run_t) >>>> + files_search_pids($1) >>>> + admin_pattern($1, iptables_runtime_t) >>>> ') >>>> diff --git a/policy/modules/system/iptables.te >>>> b/policy/modules/system/iptables.te >>>> index 5de8db0cb..869e684ea 100644 >>>> --- a/policy/modules/system/iptables.te >>>> +++ b/policy/modules/system/iptables.te >>>> @@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t) >>>> type iptables_conf_t; >>>> files_config_file(iptables_conf_t) >>>> >>>> +type iptables_runtime_t alias iptables_var_run_t; >>>> +files_pid_file(iptables_runtime_t) >>>> + >>>> type iptables_tmp_t; >>>> files_tmp_file(iptables_tmp_t) >>>> >>>> type iptables_unit_t; >>>> init_unit_file(iptables_unit_t) >>>> >>>> -type iptables_var_run_t; >>>> -files_pid_file(iptables_var_run_t) >>>> - >>>> ######################################## >>>> # >>>> # Iptables local policy >>>> @@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket >>>> create_socket_perms; >>>> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) >>>> files_etc_filetrans(iptables_t, iptables_conf_t, file) >>>> >>>> -manage_files_pattern(iptables_t, iptables_var_run_t, >>>> iptables_var_run_t) >>>> -files_pid_filetrans(iptables_t, iptables_var_run_t, file) >>>> - >>>> can_exec(iptables_t, iptables_exec_t) >>>> >>>> +manage_files_pattern(iptables_t, iptables_runtime_t, >>>> iptables_runtime_t) >>>> +files_pid_filetrans(iptables_t, iptables_runtime_t, file) >>>> + >>>> allow iptables_t iptables_tmp_t:dir manage_dir_perms; >>>> allow iptables_t iptables_tmp_t:file manage_file_perms; >>>> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) >>>> >>>> -kernel_getattr_proc(iptables_t) >>>> kernel_request_load_module(iptables_t) >>>> kernel_read_system_state(iptables_t) >>>> kernel_read_network_state(iptables_t) >>>> @@ -76,11 +75,8 @@ fs_list_inotifyfs(iptables_t) >>>> >>>> mls_file_read_all_levels(iptables_t) >>>> >>>> -term_dontaudit_use_console(iptables_t) >>>> - >>>> domain_use_interactive_fds(iptables_t) >>>> >>>> -files_read_etc_files(iptables_t) >>> >>> I suspect that if you remove files_read_etc_files() from iptables.te >>> and leave only files_read_etc_runtime_files(), you also need to create >>> a more generic file context in kernel/files.fc: instead of just >>> /etc/sysconfig/iptables.save probably /etc/sysconfig/iptables.* >> >> This is not needed because there is the specific iptables_conf_t context... >> >>> But I have not tested yet, so I am not 100% sure yet... >>> files_read_etc_runtime_files(iptables_t) >>>> >>>> auth_use_nsswitch(iptables_t) >>>> @@ -96,10 +92,8 @@ logging_send_syslog_msg(iptables_t) >>>> miscfiles_read_localization(iptables_t) >>>> >>>> sysnet_run_ifconfig(iptables_t, iptables_roles) >>>> -sysnet_dns_name_resolve(iptables_t) >>>> >>>> -userdom_use_user_terminals(iptables_t) >>>> -userdom_use_all_users_fds(iptables_t) >>>> +userdom_use_inherited_user_terminals(iptables_t) >>>> >>>> ifdef(`hide_broken_symptoms',` >>>> dev_dontaudit_write_mtrr(iptables_t) >>>> @@ -142,10 +136,6 @@ optional_policy(` >>>> ') >>>> >>>> optional_policy(` >>>> - seutil_sigchld_newrole(iptables_t) >>>> -') >>>> - >>>> -optional_policy(` >>>> shorewall_read_tmp_files(iptables_t) >>>> shorewall_rw_lib_files(iptables_t) >>>> shorewall_read_config(iptables_t) >>> >>> Regards, >>> >>> Guido -- Chris PeBenito