iptables: update

v2:
 - do not remove interfaces superseded by auth_use_nsswitch()
This commit is contained in:
cgzones 2017-06-09 15:49:35 +02:00 committed by Chris PeBenito
parent ea74a35ba7
commit ce7aa47ff5
3 changed files with 28 additions and 35 deletions

View File

@ -4,6 +4,9 @@
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0)
/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0)
/usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
@ -16,6 +19,7 @@
/usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
@ -35,7 +39,5 @@
/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0)
/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0)

View File

@ -1,4 +1,4 @@
## <summary>Policy for iptables.</summary>
## <summary>Administration tool for IP packet filtering and NAT.</summary>
########################################
## <summary>
@ -68,7 +68,7 @@ interface(`iptables_exec',`
can_exec($1, iptables_exec_t)
')
#####################################
########################################
## <summary>
## Execute iptables init scripts in
## the init script domain.
@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
#####################################
########################################
## <summary>
## Set the attributes of iptables config files.
## </summary>
@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
allow $1 iptables_conf_t:file setattr;
')
#####################################
########################################
## <summary>
## Read iptables config files.
## </summary>
@ -126,7 +126,7 @@ interface(`iptables_read_config',`
read_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
#####################################
########################################
## <summary>
## Create files in /etc with the type used for
## the iptables config files.
@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
files_etc_filetrans($1, iptables_conf_t, file)
')
###################################
########################################
## <summary>
## Manage iptables config files.
## </summary>
@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
')
###################################
########################################
## <summary>
## dontaudit reading iptables_var_run_t
## dontaudit reading iptables_runtime_t
## </summary>
## <param name="domain">
## <summary>
@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
#
interface(`iptables_dontaudit_read_pids',`
gen_require(`
type iptables_var_run_t;
type iptables_runtime_t;
')
dontaudit $1 iptables_var_run_t:file read;
dontaudit $1 iptables_runtime_t:file read;
')
########################################
@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
interface(`iptables_admin',`
gen_require(`
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
')
allow $1 iptables_t:process { ptrace signal_perms };
ps_process_pattern($1, iptables_t)
admin_process_pattern($1, iptables_t)
init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
files_list_etc($1)
files_search_etc($1)
admin_pattern($1, iptables_conf_t)
files_list_tmp($1)
files_search_tmp($1)
admin_pattern($1, iptables_tmp_t)
files_list_pids($1)
admin_pattern($1, iptables_var_run_t)
files_search_pids($1)
admin_pattern($1, iptables_runtime_t)
')

View File

@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
type iptables_conf_t;
files_config_file(iptables_conf_t)
type iptables_runtime_t alias iptables_var_run_t;
files_pid_file(iptables_runtime_t)
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
type iptables_unit_t;
init_unit_file(iptables_unit_t)
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
########################################
#
# Iptables local policy
@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
files_etc_filetrans(iptables_t, iptables_conf_t, file)
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
can_exec(iptables_t, iptables_exec_t)
manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
files_pid_filetrans(iptables_t, iptables_runtime_t, file)
allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t)
sysnet_run_ifconfig(iptables_t, iptables_roles)
sysnet_dns_name_resolve(iptables_t)
userdom_use_user_terminals(iptables_t)
userdom_use_all_users_fds(iptables_t)
userdom_use_inherited_user_terminals(iptables_t)
ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_mtrr(iptables_t)
@ -141,10 +137,6 @@ optional_policy(`
rhgb_dontaudit_use_ptys(iptables_t)
')
optional_policy(`
seutil_sigchld_newrole(iptables_t)
')
optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)