From 1ca577db8ce57f9f3c908feedc47152fe2c3819d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 21 Mar 2011 09:42:12 -0400 Subject: [PATCH] Shorewall patch from Miroslav Grepl. --- Changelog | 1 + policy/modules/admin/shorewall.fc | 2 ++ policy/modules/admin/shorewall.if | 56 ++++++++++++++++++++++++++----- policy/modules/admin/shorewall.te | 5 ++- policy/modules/system/init.te | 7 +++- policy/modules/system/iptables.te | 3 +- 6 files changed, 62 insertions(+), 12 deletions(-) diff --git a/Changelog b/Changelog index 1d816c7f5..40825f1db 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Shorewall patch from Miroslav Grepl. - Cpufreqselector dbus patch from Guido Trentalancia. - Cron pam_namespace and pam_loginuid support from Harry Ciao. - Xserver update for startx from Sven Vermeulen. diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc index 029cb7e9b..48d13634b 100644 --- a/policy/modules/admin/shorewall.fc +++ b/policy/modules/admin/shorewall.fc @@ -11,4 +11,6 @@ /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0) + /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if index 094892172..781ad7e8a 100644 --- a/policy/modules/admin/shorewall.if +++ b/policy/modules/admin/shorewall.if @@ -18,6 +18,24 @@ interface(`shorewall_domtrans',` domtrans_pattern($1, shorewall_exec_t, shorewall_t) ') +###################################### +## +## Execute a domain transition to run shorewall. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`shorewall_lib_domtrans',` + gen_require(` + type shorewall_t, shorewall_var_lib_t; + ') + + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) +') + ####################################### ## ## Read shorewall etc configuration files. @@ -117,7 +135,26 @@ interface(`shorewall_rw_lib_files',` ####################################### ## -## All of the rules required to administrate +## Read shorewall tmp files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_read_tmp_files',` + gen_require(` + type shorewall_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) +') + +####################################### +## +## All of the rules required to administrate ## an shorewall environment ## ## @@ -134,9 +171,10 @@ interface(`shorewall_rw_lib_files',` # interface(`shorewall_admin',` gen_require(` - type shorewall_t, shorewall_var_run_t, shorewall_lock_t; + type shorewall_t, shorewall_lock_t; + type shorewall_log_t; type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t; + type shorewall_tmp_t, shorewall_etc_t; ') allow $1 shorewall_t:process { ptrace signal_perms }; @@ -147,18 +185,18 @@ interface(`shorewall_admin',` role_transition $2 shorewall_initrc_exec_t system_r; allow $2 system_r; - files_search_etc($1) + files_list_etc($1) admin_pattern($1, shorewall_etc_t) - files_search_locks($1) + files_list_locks($1) admin_pattern($1, shorewall_lock_t) - files_search_pids($1) - admin_pattern($1, shorewall_var_run_t) + logging_list_logs($1) + admin_pattern($1, shorewall_log_t) - files_search_var_lib($1) + files_list_var_lib($1) admin_pattern($1, shorewall_var_lib_t) - files_search_tmp($1) + files_list_tmp($1) admin_pattern($1, shorewall_tmp_t) ') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te index c17b6a669..95bce8805 100644 --- a/policy/modules/admin/shorewall.te +++ b/policy/modules/admin/shorewall.te @@ -1,4 +1,4 @@ -policy_module(shorewall, 1.2.0) +policy_module(shorewall, 1.2.1) ######################################## # @@ -27,6 +27,7 @@ files_tmp_file(shorewall_tmp_t) # var/lib files type shorewall_var_lib_t; files_type(shorewall_var_lib_t) +domain_entry_file(shorewall_t, shorewall_var_lib_t) type shorewall_log_t; logging_log_file(shorewall_log_t) @@ -59,6 +60,8 @@ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) +allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; + kernel_read_kernel_sysctls(shorewall_t) kernel_read_network_state(shorewall_t) kernel_read_system_state(shorewall_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ea295133d..29a95659f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 1.16.3) +policy_module(init, 1.16.4) gen_require(` class passwd rootok; @@ -780,6 +780,11 @@ optional_policy(` samba_read_winbind_pid(initrc_t) ') +optional_policy(` + # shorewall-init script run /var/lib/shorewall/firewall + shorewall_lib_domtrans(initrc_t) +') + optional_policy(` squid_read_config(initrc_t) squid_manage_logs(initrc_t) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index a3fdcb389..8dbb3a1bc 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.11.0) +policy_module(iptables, 1.11.1) ######################################## # @@ -123,6 +123,7 @@ optional_policy(` ') optional_policy(` + shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) ')