diff options
author | cgzones <cgzones@googlemail.com> | 2017-06-09 15:49:35 +0200 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2017-06-13 16:02:15 +0800 |
commit | a99a839587e7ef976a9b068e0bbebd031a2b1b76 (patch) | |
tree | 25972d85e399c2520261e6efbdb9887cd44c67fa | |
parent | netutils: update (diff) | |
download | hardened-refpolicy-a99a839587e7ef976a9b068e0bbebd031a2b1b76.tar.gz hardened-refpolicy-a99a839587e7ef976a9b068e0bbebd031a2b1b76.tar.bz2 hardened-refpolicy-a99a839587e7ef976a9b068e0bbebd031a2b1b76.zip |
iptables: update
v2:
- do not remove interfaces superseded by auth_use_nsswitch()
-rw-r--r-- | policy/modules/system/iptables.fc | 8 | ||||
-rw-r--r-- | policy/modules/system/iptables.if | 33 | ||||
-rw-r--r-- | policy/modules/system/iptables.te | 22 |
3 files changed, 28 insertions, 35 deletions
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index 181eee95..32877b26 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -4,6 +4,9 @@ /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_runtime_t,s0) +/run/xtables.* -- gen_context(system_u:object_r:iptables_runtime_t,s0) + /usr/bin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -16,6 +19,7 @@ /usr/bin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/bin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/bin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0) @@ -35,7 +39,5 @@ /usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/xtables-compat-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - -/run/ebtables\.lock -- gen_context(system_u:object_r:iptables_var_run_t,s0) -/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if index 6321f8c4..7d8f1821 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -1,4 +1,4 @@ -## <summary>Policy for iptables.</summary> +## <summary>Administration tool for IP packet filtering and NAT.</summary> ######################################## ## <summary> @@ -68,7 +68,7 @@ interface(`iptables_exec',` can_exec($1, iptables_exec_t) ') -##################################### +######################################## ## <summary> ## Execute iptables init scripts in ## the init script domain. @@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',` init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') -##################################### +######################################## ## <summary> ## Set the attributes of iptables config files. ## </summary> @@ -106,7 +106,7 @@ interface(`iptables_setattr_config',` allow $1 iptables_conf_t:file setattr; ') -##################################### +######################################## ## <summary> ## Read iptables config files. ## </summary> @@ -126,7 +126,7 @@ interface(`iptables_read_config',` read_files_pattern($1, iptables_conf_t, iptables_conf_t) ') -##################################### +######################################## ## <summary> ## Create files in /etc with the type used for ## the iptables config files. @@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',` files_etc_filetrans($1, iptables_conf_t, file) ') -################################### +######################################## ## <summary> ## Manage iptables config files. ## </summary> @@ -165,9 +165,9 @@ interface(`iptables_manage_config',` manage_files_pattern($1, iptables_conf_t, iptables_conf_t) ') -################################### +######################################## ## <summary> -## dontaudit reading iptables_var_run_t +## dontaudit reading iptables_runtime_t ## </summary> ## <param name="domain"> ## <summary> @@ -177,10 +177,10 @@ interface(`iptables_manage_config',` # interface(`iptables_dontaudit_read_pids',` gen_require(` - type iptables_var_run_t; + type iptables_runtime_t; ') - dontaudit $1 iptables_var_run_t:file read; + dontaudit $1 iptables_runtime_t:file read; ') ######################################## @@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',` interface(`iptables_admin',` gen_require(` type iptables_t, iptables_initrc_exec_t, iptables_conf_t; - type iptables_tmp_t, iptables_var_run_t, iptables_unit_t; + type iptables_tmp_t, iptables_runtime_t, iptables_unit_t; ') - allow $1 iptables_t:process { ptrace signal_perms }; - ps_process_pattern($1, iptables_t) + admin_process_pattern($1, iptables_t) init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t) - files_list_etc($1) + files_search_etc($1) admin_pattern($1, iptables_conf_t) - files_list_tmp($1) + files_search_tmp($1) admin_pattern($1, iptables_tmp_t) - files_list_pids($1) - admin_pattern($1, iptables_var_run_t) + files_search_pids($1) + admin_pattern($1, iptables_runtime_t) ') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 5de8db0c..33cd9343 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t) type iptables_conf_t; files_config_file(iptables_conf_t) +type iptables_runtime_t alias iptables_var_run_t; +files_pid_file(iptables_runtime_t) + type iptables_tmp_t; files_tmp_file(iptables_tmp_t) type iptables_unit_t; init_unit_file(iptables_unit_t) -type iptables_var_run_t; -files_pid_file(iptables_var_run_t) - ######################################## # # Iptables local policy @@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms; manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) files_etc_filetrans(iptables_t, iptables_conf_t, file) -manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) -files_pid_filetrans(iptables_t, iptables_var_run_t, file) - can_exec(iptables_t, iptables_exec_t) +manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t) +files_pid_filetrans(iptables_t, iptables_runtime_t, file) + allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) -kernel_getattr_proc(iptables_t) kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) @@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) -term_dontaudit_use_console(iptables_t) - domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) @@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t) sysnet_run_ifconfig(iptables_t, iptables_roles) sysnet_dns_name_resolve(iptables_t) -userdom_use_user_terminals(iptables_t) -userdom_use_all_users_fds(iptables_t) +userdom_use_inherited_user_terminals(iptables_t) ifdef(`hide_broken_symptoms',` dev_dontaudit_write_mtrr(iptables_t) @@ -142,10 +138,6 @@ optional_policy(` ') optional_policy(` - seutil_sigchld_newrole(iptables_t) -') - -optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) shorewall_read_config(iptables_t) |