Add interface to get status of iptables service

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2025-02-10 00:27:22 +00:00 · 2019-01-07 19:50:23 +00:00 · 2019-01-07 19:50:23 +00:00 · 43a77c30fa
commit 43a77c30fa
parent e8ba31557d
1 changed files with 19 additions and 0 deletions
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@ -183,6 +183,25 @@ interface(`iptables_dontaudit_read_pids',`
 	dontaudit $1 iptables_runtime_t:file read;
 ')

+########################################
+## <summary>
+##	Allow specified domain to get status of iptables service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`iptables_status',`
+	gen_require(`
+		type iptables_unit_t;
+		class service status;
+	')
+
+	allow $1 iptables_unit_t:service status;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to