iptables: update

v2:
 - do not remove interfaces superseded by auth_use_nsswitch()

3 files changed, 28 insertions, 35 deletions

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 181eee95..32877b26 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -4,6 +4,9 @@
 /etc/sysconfig/ip6?tables.*		--	gen_context(system_u:object_r:iptables_conf_t,s0)
 /etc/sysconfig/system-config-firewall.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 
+/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_runtime_t,s0)
+/run/xtables.*				--	gen_context(system_u:object_r:iptables_runtime_t,s0)
+
 /usr/bin/conntrack			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -16,6 +19,7 @@
 /usr/bin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-compat-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/lib/systemd/system/[^/]*arptables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)
@@ -35,7 +39,5 @@
 /usr/sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-compat-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_var_run_t,s0)
-/run/xtables.*				--	gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 6321f8c4..7d8f1821 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -1,4 +1,4 @@
-## <summary>Policy for iptables.</summary>
+## <summary>Administration tool for IP packet filtering and NAT.</summary>
 
 ########################################
 ## <summary>
@@ -68,7 +68,7 @@ interface(`iptables_exec',`
 	can_exec($1, iptables_exec_t)
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Execute iptables init scripts in
 ##	the init script domain.
@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
 	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Set the attributes of iptables config files.
 ## </summary>
@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
 	allow $1 iptables_conf_t:file setattr;
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Read iptables config files.
 ## </summary>
@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
 	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Create files in /etc with the type used for
 ##	the iptables config files.
@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
 	files_etc_filetrans($1, iptables_conf_t, file)
 ')
 
-###################################
+########################################
 ## <summary>
 ##	Manage iptables config files.
 ## </summary>
@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
-###################################
+########################################
 ## <summary>
-##	dontaudit reading iptables_var_run_t
+##	dontaudit reading iptables_runtime_t
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
 #
 interface(`iptables_dontaudit_read_pids',`
 	gen_require(`
-		type iptables_var_run_t;
+		type iptables_runtime_t;
 	')
 
-	dontaudit $1 iptables_var_run_t:file read;
+	dontaudit $1 iptables_runtime_t:file read;
 ')
 
 ########################################
@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
 interface(`iptables_admin',`
 	gen_require(`
 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
-		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
+		type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
 	')
 
-	allow $1 iptables_t:process { ptrace signal_perms };
-	ps_process_pattern($1, iptables_t)
+	admin_process_pattern($1, iptables_t)
 
 	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
 
-	files_list_etc($1)
+	files_search_etc($1)
 	admin_pattern($1, iptables_conf_t)
 
-	files_list_tmp($1)
+	files_search_tmp($1)
 	admin_pattern($1, iptables_tmp_t)
 
-	files_list_pids($1)
-	admin_pattern($1, iptables_var_run_t)
+	files_search_pids($1)
+	admin_pattern($1, iptables_runtime_t)
 ')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 5de8db0c..33cd9343 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
 type iptables_conf_t;
 files_config_file(iptables_conf_t)
 
+type iptables_runtime_t alias iptables_var_run_t;
+files_pid_file(iptables_runtime_t)
+
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
 type iptables_unit_t;
 init_unit_file(iptables_unit_t)
 
-type iptables_var_run_t;
-files_pid_file(iptables_var_run_t)
-
 ########################################
 #
 # Iptables local policy
@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
 manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
 files_etc_filetrans(iptables_t, iptables_conf_t, file)
 
-manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-
 can_exec(iptables_t, iptables_exec_t)
 
+manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
+
 allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
-kernel_getattr_proc(iptables_t)
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
@@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t)
 
 mls_file_read_all_levels(iptables_t)
 
-term_dontaudit_use_console(iptables_t)
-
 domain_use_interactive_fds(iptables_t)
 
 files_read_etc_files(iptables_t)
@@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t)
 sysnet_run_ifconfig(iptables_t, iptables_roles)
 sysnet_dns_name_resolve(iptables_t)
 
-userdom_use_user_terminals(iptables_t)
-userdom_use_all_users_fds(iptables_t)
+userdom_use_inherited_user_terminals(iptables_t)
 
 ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_mtrr(iptables_t)
@@ -142,10 +138,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(iptables_t)
-')
-
-optional_policy(`
 	shorewall_read_tmp_files(iptables_t)
 	shorewall_rw_lib_files(iptables_t)
 	shorewall_read_config(iptables_t)