iptables: update
v2: - do not remove interfaces superseded by auth_use_nsswitch()
This commit is contained in:
parent
ea74a35ba7
commit
ce7aa47ff5
@ -4,6 +4,9 @@
|
||||
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||
|
||||
/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
|
||||
/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
|
||||
|
||||
/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
@ -16,6 +19,7 @@
|
||||
/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/bin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
|
||||
@ -35,7 +39,5 @@
|
||||
/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)
|
||||
|
@ -1,4 +1,4 @@
|
||||
## <summary>Policy for iptables.</summary>
|
||||
## <summary>Administration tool for IP packet filtering and NAT.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -68,7 +68,7 @@ interface(`iptables_exec',`
|
||||
can_exec($1, iptables_exec_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute iptables init scripts in
|
||||
## the init script domain.
|
||||
@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
|
||||
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
########################################
|
||||
## <summary>
|
||||
## Set the attributes of iptables config files.
|
||||
## </summary>
|
||||
@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
|
||||
allow $1 iptables_conf_t:file setattr;
|
||||
')
|
||||
|
||||
#####################################
|
||||
########################################
|
||||
## <summary>
|
||||
## Read iptables config files.
|
||||
## </summary>
|
||||
@ -126,7 +126,7 @@ interface(`iptables_read_config',`
|
||||
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
########################################
|
||||
## <summary>
|
||||
## Create files in /etc with the type used for
|
||||
## the iptables config files.
|
||||
@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
|
||||
files_etc_filetrans($1, iptables_conf_t, file)
|
||||
')
|
||||
|
||||
###################################
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage iptables config files.
|
||||
## </summary>
|
||||
@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
|
||||
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
|
||||
')
|
||||
|
||||
###################################
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit reading iptables_var_run_t
|
||||
## dontaudit reading iptables_runtime_t
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
|
||||
#
|
||||
interface(`iptables_dontaudit_read_pids',`
|
||||
gen_require(`
|
||||
type iptables_var_run_t;
|
||||
type iptables_runtime_t;
|
||||
')
|
||||
|
||||
dontaudit $1 iptables_var_run_t:file read;
|
||||
dontaudit $1 iptables_runtime_t:file read;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
|
||||
interface(`iptables_admin',`
|
||||
gen_require(`
|
||||
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
|
||||
type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
|
||||
type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
|
||||
')
|
||||
|
||||
allow $1 iptables_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, iptables_t)
|
||||
admin_process_pattern($1, iptables_t)
|
||||
|
||||
init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
|
||||
|
||||
files_list_etc($1)
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, iptables_conf_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
files_search_tmp($1)
|
||||
admin_pattern($1, iptables_tmp_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, iptables_var_run_t)
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, iptables_runtime_t)
|
||||
')
|
||||
|
@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
|
||||
type iptables_conf_t;
|
||||
files_config_file(iptables_conf_t)
|
||||
|
||||
type iptables_runtime_t alias iptables_var_run_t;
|
||||
files_pid_file(iptables_runtime_t)
|
||||
|
||||
type iptables_tmp_t;
|
||||
files_tmp_file(iptables_tmp_t)
|
||||
|
||||
type iptables_unit_t;
|
||||
init_unit_file(iptables_unit_t)
|
||||
|
||||
type iptables_var_run_t;
|
||||
files_pid_file(iptables_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Iptables local policy
|
||||
@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
|
||||
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
|
||||
files_etc_filetrans(iptables_t, iptables_conf_t, file)
|
||||
|
||||
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
|
||||
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
|
||||
|
||||
can_exec(iptables_t, iptables_exec_t)
|
||||
|
||||
manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
|
||||
files_pid_filetrans(iptables_t, iptables_runtime_t, file)
|
||||
|
||||
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
|
||||
allow iptables_t iptables_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
|
||||
|
||||
kernel_getattr_proc(iptables_t)
|
||||
kernel_request_load_module(iptables_t)
|
||||
kernel_read_system_state(iptables_t)
|
||||
kernel_read_network_state(iptables_t)
|
||||
@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t)
|
||||
|
||||
mls_file_read_all_levels(iptables_t)
|
||||
|
||||
term_dontaudit_use_console(iptables_t)
|
||||
|
||||
domain_use_interactive_fds(iptables_t)
|
||||
|
||||
files_read_etc_files(iptables_t)
|
||||
@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t)
|
||||
sysnet_run_ifconfig(iptables_t, iptables_roles)
|
||||
sysnet_dns_name_resolve(iptables_t)
|
||||
|
||||
userdom_use_user_terminals(iptables_t)
|
||||
userdom_use_all_users_fds(iptables_t)
|
||||
userdom_use_inherited_user_terminals(iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_write_mtrr(iptables_t)
|
||||
@ -141,10 +137,6 @@ optional_policy(`
|
||||
rhgb_dontaudit_use_ptys(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
shorewall_read_tmp_files(iptables_t)
|
||||
shorewall_rw_lib_files(iptables_t)
|
||||
|
Loading…
Reference in New Issue
Block a user