c2b04d1ea2
Patches for modutils, at least one of which is needed to generate an initramfs on Debian. Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts etc. Patch for brctl to allow it to create sysfs files.
159 lines
3.7 KiB
Plaintext
159 lines
3.7 KiB
Plaintext
policy_module(iptables, 1.18.4)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute_role iptables_roles;
|
|
roleattribute system_r iptables_roles;
|
|
|
|
type iptables_t;
|
|
type iptables_exec_t;
|
|
init_system_domain(iptables_t, iptables_exec_t)
|
|
role iptables_roles types iptables_t;
|
|
|
|
type iptables_initrc_exec_t;
|
|
init_script_file(iptables_initrc_exec_t)
|
|
|
|
type iptables_conf_t;
|
|
files_config_file(iptables_conf_t)
|
|
|
|
type iptables_tmp_t;
|
|
files_tmp_file(iptables_tmp_t)
|
|
|
|
type iptables_unit_t;
|
|
init_unit_file(iptables_unit_t)
|
|
|
|
type iptables_var_run_t;
|
|
files_pid_file(iptables_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Iptables local policy
|
|
#
|
|
|
|
allow iptables_t self:capability { dac_override dac_read_search net_admin net_raw };
|
|
dontaudit iptables_t self:capability sys_tty_config;
|
|
allow iptables_t self:fifo_file rw_fifo_file_perms;
|
|
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
|
allow iptables_t self:netlink_socket create_socket_perms;
|
|
allow iptables_t self:netlink_netfilter_socket create_socket_perms;
|
|
allow iptables_t self:rawip_socket create_socket_perms;
|
|
|
|
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
|
|
files_etc_filetrans(iptables_t, iptables_conf_t, file)
|
|
|
|
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
|
|
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
|
|
|
|
can_exec(iptables_t, iptables_exec_t)
|
|
|
|
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
|
|
allow iptables_t iptables_tmp_t:file manage_file_perms;
|
|
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
|
|
|
|
kernel_getattr_proc(iptables_t)
|
|
kernel_request_load_module(iptables_t)
|
|
kernel_read_system_state(iptables_t)
|
|
kernel_read_network_state(iptables_t)
|
|
kernel_read_kernel_sysctls(iptables_t)
|
|
kernel_read_modprobe_sysctls(iptables_t)
|
|
kernel_use_fds(iptables_t)
|
|
|
|
# needed by ipvsadm
|
|
corecmd_exec_bin(iptables_t)
|
|
corecmd_exec_shell(iptables_t)
|
|
|
|
corenet_relabelto_all_packets(iptables_t)
|
|
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
|
|
|
dev_read_sysfs(iptables_t)
|
|
|
|
fs_getattr_xattr_fs(iptables_t)
|
|
fs_search_auto_mountpoints(iptables_t)
|
|
fs_list_inotifyfs(iptables_t)
|
|
|
|
mls_file_read_all_levels(iptables_t)
|
|
|
|
term_dontaudit_use_console(iptables_t)
|
|
|
|
domain_use_interactive_fds(iptables_t)
|
|
|
|
files_read_etc_files(iptables_t)
|
|
files_read_etc_runtime_files(iptables_t)
|
|
|
|
auth_use_nsswitch(iptables_t)
|
|
|
|
init_use_fds(iptables_t)
|
|
init_use_script_ptys(iptables_t)
|
|
# to allow rules to be saved on reboot:
|
|
init_rw_script_tmp_files(iptables_t)
|
|
init_rw_script_stream_sockets(iptables_t)
|
|
|
|
logging_send_syslog_msg(iptables_t)
|
|
|
|
miscfiles_read_localization(iptables_t)
|
|
|
|
sysnet_run_ifconfig(iptables_t, iptables_roles)
|
|
sysnet_dns_name_resolve(iptables_t)
|
|
|
|
userdom_use_user_terminals(iptables_t)
|
|
userdom_use_all_users_fds(iptables_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
dev_dontaudit_write_mtrr(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fail2ban_append_log(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
firewalld_read_config_files(iptables_t)
|
|
firewalld_read_var_run_files(iptables_t)
|
|
firewalld_dontaudit_rw_tmp_files(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
firstboot_use_fds(iptables_t)
|
|
firstboot_rw_pipes(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
modutils_run(iptables_t, iptables_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
# for iptables -L
|
|
nis_use_ypbind(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ppp_dontaudit_use_fds(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
psad_rw_tmp_files(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rhgb_dontaudit_use_ptys(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
shorewall_read_tmp_files(iptables_t)
|
|
shorewall_rw_lib_files(iptables_t)
|
|
shorewall_read_config(iptables_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(iptables_t)
|
|
# this is for iptables_t to inherit a file hande from xen vif-bridge
|
|
udev_manage_pid_files(iptables_t)
|
|
')
|