2017-06-09 13:49:35

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] iptables: update

From: cgzones <[email protected]>

v2:
- do not remove interfaces superseded by auth_use_nsswitch()
---
policy/modules/system/iptables.fc | 8 +++++---
policy/modules/system/iptables.if | 33 ++++++++++++++++-----------------
policy/modules/system/iptables.te | 22 +++++++---------------
3 files changed, 28 insertions(+), 35 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 181eee95c..32877b263 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -4,6 +4,9 @@
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)

+/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
+/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
+
/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -16,6 +19,7 @@
/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)

/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
@@ -35,7 +39,5 @@
/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
-/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 6321f8c4b..7d8f18217 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -1,4 +1,4 @@
-## <summary>Policy for iptables.</summary>
+## <summary>Administration tool for IP packet filtering and NAT.</summary>

########################################
## <summary>
@@ -68,7 +68,7 @@ interface(`iptables_exec',`
can_exec($1, iptables_exec_t)
')

-#####################################
+########################################
## <summary>
## Execute iptables init scripts in
## the init script domain.
@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')

-#####################################
+########################################
## <summary>
## Set the attributes of iptables config files.
## </summary>
@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
allow $1 iptables_conf_t:file setattr;
')

-#####################################
+########################################
## <summary>
## Read iptables config files.
## </summary>
@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
')

-#####################################
+########################################
## <summary>
## Create files in /etc with the type used for
## the iptables config files.
@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
files_etc_filetrans($1, iptables_conf_t, file)
')

-###################################
+########################################
## <summary>
## Manage iptables config files.
## </summary>
@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')

-###################################
+########################################
## <summary>
-## dontaudit reading iptables_var_run_t
+## dontaudit reading iptables_runtime_t
## </summary>
## <param name="domain">
## <summary>
@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
#
interface(`iptables_dontaudit_read_pids',`
gen_require(`
- type iptables_var_run_t;
+ type iptables_runtime_t;
')

- dontaudit $1 iptables_var_run_t:file read;
+ dontaudit $1 iptables_runtime_t:file read;
')

########################################
@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
interface(`iptables_admin',`
gen_require(`
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
- type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
+ type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
')

- allow $1 iptables_t:process { ptrace signal_perms };
- ps_process_pattern($1, iptables_t)
+ admin_process_pattern($1, iptables_t)

init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)

- files_list_etc($1)
+ files_search_etc($1)
admin_pattern($1, iptables_conf_t)

- files_list_tmp($1)
+ files_search_tmp($1)
admin_pattern($1, iptables_tmp_t)

- files_list_pids($1)
- admin_pattern($1, iptables_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, iptables_runtime_t)
')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 5de8db0cb..33cd9343d 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
type iptables_conf_t;
files_config_file(iptables_conf_t)

+type iptables_runtime_t alias iptables_var_run_t;
+files_pid_file(iptables_runtime_t)
+
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)

type iptables_unit_t;
init_unit_file(iptables_unit_t)

-type iptables_var_run_t;
-files_pid_file(iptables_var_run_t)
-
########################################
#
# Iptables local policy
@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
files_etc_filetrans(iptables_t, iptables_conf_t, file)

-manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-
can_exec(iptables_t, iptables_exec_t)

+manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
+
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })

-kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t)

mls_file_read_all_levels(iptables_t)

-term_dontaudit_use_console(iptables_t)
-
domain_use_interactive_fds(iptables_t)

files_read_etc_files(iptables_t)
@@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t)
sysnet_run_ifconfig(iptables_t, iptables_roles)
sysnet_dns_name_resolve(iptables_t)

-userdom_use_user_terminals(iptables_t)
-userdom_use_all_users_fds(iptables_t)
+userdom_use_inherited_user_terminals(iptables_t)

ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_mtrr(iptables_t)
@@ -142,10 +138,6 @@ optional_policy(`
')

optional_policy(`
- seutil_sigchld_newrole(iptables_t)
-')
-
-optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
shorewall_read_config(iptables_t)
--
2.11.0


2017-06-12 22:43:02

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] iptables: update

On 06/09/2017 09:49 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - do not remove interfaces superseded by auth_use_nsswitch()
> ---
> policy/modules/system/iptables.fc | 8 +++++---
> policy/modules/system/iptables.if | 33 ++++++++++++++++-----------------
> policy/modules/system/iptables.te | 22 +++++++---------------
> 3 files changed, 28 insertions(+), 35 deletions(-)
>
> diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
> index 181eee95c..32877b263 100644
> --- a/policy/modules/system/iptables.fc
> +++ b/policy/modules/system/iptables.fc
> @@ -4,6 +4,9 @@
> /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
> +/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
> +/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
> +
> /usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> @@ -16,6 +19,7 @@
> /usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/bin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
>
> /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
> @@ -35,7 +39,5 @@
> /usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
> +/usr/sbin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
> -
> -/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
> -/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index 6321f8c4b..7d8f18217 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -1,4 +1,4 @@
> -## <summary>Policy for iptables.</summary>
> +## <summary>Administration tool for IP packet filtering and NAT.</summary>
>
> ########################################
> ## <summary>
> @@ -68,7 +68,7 @@ interface(`iptables_exec',`
> can_exec($1, iptables_exec_t)
> ')
>
> -#####################################
> +########################################
> ## <summary>
> ## Execute iptables init scripts in
> ## the init script domain.
> @@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
> ')
>
> -#####################################
> +########################################
> ## <summary>
> ## Set the attributes of iptables config files.
> ## </summary>
> @@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
> allow $1 iptables_conf_t:file setattr;
> ')
>
> -#####################################
> +########################################
> ## <summary>
> ## Read iptables config files.
> ## </summary>
> @@ -126,7 +126,7 @@ interface(`iptables_read_config',`
> read_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
>
> -#####################################
> +########################################
> ## <summary>
> ## Create files in /etc with the type used for
> ## the iptables config files.
> @@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
> files_etc_filetrans($1, iptables_conf_t, file)
> ')
>
> -###################################
> +########################################
> ## <summary>
> ## Manage iptables config files.
> ## </summary>
> @@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
> manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> ')
>
> -###################################
> +########################################
> ## <summary>
> -## dontaudit reading iptables_var_run_t
> +## dontaudit reading iptables_runtime_t
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
> #
> interface(`iptables_dontaudit_read_pids',`
> gen_require(`
> - type iptables_var_run_t;
> + type iptables_runtime_t;
> ')
>
> - dontaudit $1 iptables_var_run_t:file read;
> + dontaudit $1 iptables_runtime_t:file read;
> ')
>
> ########################################
> @@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
> interface(`iptables_admin',`
> gen_require(`
> type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
> - type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
> + type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
> ')
>
> - allow $1 iptables_t:process { ptrace signal_perms };
> - ps_process_pattern($1, iptables_t)
> + admin_process_pattern($1, iptables_t)
>
> init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
>
> - files_list_etc($1)
> + files_search_etc($1)
> admin_pattern($1, iptables_conf_t)
>
> - files_list_tmp($1)
> + files_search_tmp($1)
> admin_pattern($1, iptables_tmp_t)
>
> - files_list_pids($1)
> - admin_pattern($1, iptables_var_run_t)
> + files_search_pids($1)
> + admin_pattern($1, iptables_runtime_t)
> ')
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index 5de8db0cb..33cd9343d 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
> type iptables_conf_t;
> files_config_file(iptables_conf_t)
>
> +type iptables_runtime_t alias iptables_var_run_t;
> +files_pid_file(iptables_runtime_t)
> +
> type iptables_tmp_t;
> files_tmp_file(iptables_tmp_t)
>
> type iptables_unit_t;
> init_unit_file(iptables_unit_t)
>
> -type iptables_var_run_t;
> -files_pid_file(iptables_var_run_t)
> -
> ########################################
> #
> # Iptables local policy
> @@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> files_etc_filetrans(iptables_t, iptables_conf_t, file)
>
> -manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
> -files_pid_filetrans(iptables_t, iptables_var_run_t, file)
> -
> can_exec(iptables_t, iptables_exec_t)
>
> +manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
> +files_pid_filetrans(iptables_t, iptables_runtime_t, file)
> +
> allow iptables_t iptables_tmp_t:dir manage_dir_perms;
> allow iptables_t iptables_tmp_t:file manage_file_perms;
> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>
> -kernel_getattr_proc(iptables_t)
> kernel_request_load_module(iptables_t)
> kernel_read_system_state(iptables_t)
> kernel_read_network_state(iptables_t)
> @@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t)
>
> mls_file_read_all_levels(iptables_t)
>
> -term_dontaudit_use_console(iptables_t)
> -
> domain_use_interactive_fds(iptables_t)
>
> files_read_etc_files(iptables_t)
> @@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t)
> sysnet_run_ifconfig(iptables_t, iptables_roles)
> sysnet_dns_name_resolve(iptables_t)
>
> -userdom_use_user_terminals(iptables_t)
> -userdom_use_all_users_fds(iptables_t)
> +userdom_use_inherited_user_terminals(iptables_t)
>
> ifdef(`hide_broken_symptoms',`
> dev_dontaudit_write_mtrr(iptables_t)
> @@ -142,10 +138,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - seutil_sigchld_newrole(iptables_t)
> -')
> -
> -optional_policy(`
> shorewall_read_tmp_files(iptables_t)
> shorewall_rw_lib_files(iptables_t)
> shorewall_read_config(iptables_t)

Merged.

--
Chris PeBenito