Introduce iptables_admin

2015-06-09 00:38:21 +04:00 · 2015-06-09 00:38:21 +04:00 · 43da2d2ad0
commit 43da2d2ad0
parent 0a088aa8ac
2 changed files with 40 additions and 0 deletions
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -178,6 +178,7 @@ optional_policy(`
 ')

 optional_policy(`
+	iptables_admin(sysadm_t, sysadm_r)
 	iptables_run(sysadm_t, sysadm_r)
 ')

--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@ -163,3 +163,42 @@ interface(`iptables_manage_config',`
 	files_search_etc($1)
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an iptables
+##	environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`iptables_admin',`
+	gen_require(`
+		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
+		type iptables_tmp_t, iptables_var_run_t;
+	')
+
+	allow $1 iptables_t:process { ptrace signal_perms };
+	ps_process_pattern($1, iptables_t)
+
+	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+
+	files_list_etc($1)
+	admin_pattern($1, iptables_conf_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, iptables_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, iptables_var_run_t)
+')