diff options
Diffstat (limited to 'policy/modules/contrib/shorewall.if')
-rw-r--r-- | policy/modules/contrib/shorewall.if | 202 |
1 files changed, 202 insertions, 0 deletions
diff --git a/policy/modules/contrib/shorewall.if b/policy/modules/contrib/shorewall.if new file mode 100644 index 00000000..781ad7e8 --- /dev/null +++ b/policy/modules/contrib/shorewall.if @@ -0,0 +1,202 @@ +## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary> + +######################################## +## <summary> +## Execute a domain transition to run shorewall. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shorewall_domtrans',` + gen_require(` + type shorewall_t, shorewall_exec_t; + ') + + domtrans_pattern($1, shorewall_exec_t, shorewall_t) +') + +###################################### +## <summary> +## Execute a domain transition to run shorewall. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`shorewall_lib_domtrans',` + gen_require(` + type shorewall_t, shorewall_var_lib_t; + ') + + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) +') + +####################################### +## <summary> +## Read shorewall etc configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_config',` + gen_require(` + type shorewall_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) +') + +####################################### +## <summary> +## Read shorewall PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +####################################### +## <summary> +## Read and write shorewall PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_rw_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +###################################### +## <summary> +## Read shorewall /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_lib_files',` + gen_require(` + type shorewall_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## <summary> +## Read and write shorewall /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_rw_lib_files',` + gen_require(` + type shorewall_var_lib_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) +') + +####################################### +## <summary> +## Read shorewall tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`shorewall_read_tmp_files',` + gen_require(` + type shorewall_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) +') + +####################################### +## <summary> +## All of the rules required to administrate +## an shorewall environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`shorewall_admin',` + gen_require(` + type shorewall_t, shorewall_lock_t; + type shorewall_log_t; + type shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_tmp_t, shorewall_etc_t; + ') + + allow $1 shorewall_t:process { ptrace signal_perms }; + ps_process_pattern($1, shorewall_t) + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + + files_list_locks($1) + admin_pattern($1, shorewall_lock_t) + + logging_list_logs($1) + admin_pattern($1, shorewall_log_t) + + files_list_var_lib($1) + admin_pattern($1, shorewall_var_lib_t) + + files_list_tmp($1) + admin_pattern($1, shorewall_tmp_t) +') |