## Service daemon with a D-BUS interface that provides a dynamic managed firewall. ######################################## ## ## Read firewalld configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`firewalld_read_config_files',` gen_require(` type firewalld_etc_rw_t; ') files_search_etc($1) read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) ') ######################################## ## ## Send and receive messages from ## firewalld over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`firewalld_dbus_chat',` gen_require(` type firewalld_t; class dbus send_msg; ') allow $1 firewalld_t:dbus send_msg; allow firewalld_t $1:dbus send_msg; ') ######################################## ## ## Do not audit attempts to read, snd ## write firewalld temporary files. ## ## ## ## Domain to not audit. ## ## # interface(`firewalld_dontaudit_rw_tmp_files',` gen_require(` type firewalld_tmp_t; ') dontaudit $1 firewalld_tmp_t:file { read write }; ') ######################################## ## ## Read firewalld runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`firewalld_read_var_run_files',` gen_require(` type firewalld_runtime_t; ') files_search_runtime($1) read_files_pattern($1, firewalld_runtime_t, firewalld_runtime_t) ') ######################################## ## ## All of the rules required to ## administrate an firewalld environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`firewalld_admin',` gen_require(` type firewalld_t, firewalld_initrc_exec_t; type firewalld_etc_rw_t, firewalld_runtime_t; type firewalld_var_log_t; ') allow $1 firewalld_t:process { ptrace signal_perms }; ps_process_pattern($1, firewalld_t) init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t) files_search_runtime($1) admin_pattern($1, firewalld_runtime_t) logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) files_search_etc($1) admin_pattern($1, firewalld_etc_rw_t) ')