diff options
Diffstat (limited to 'policy/modules/system/iptables.te')
-rw-r--r-- | policy/modules/system/iptables.te | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te new file mode 100644 index 000000000..0646ee7f9 --- /dev/null +++ b/policy/modules/system/iptables.te @@ -0,0 +1,145 @@ +policy_module(iptables, 1.13.0) + +######################################## +# +# Declarations +# + +attribute_role iptables_roles; +roleattribute system_r iptables_roles; + +type iptables_t; +type iptables_exec_t; +init_system_domain(iptables_t, iptables_exec_t) +role iptables_roles types iptables_t; + +type iptables_initrc_exec_t; +init_script_file(iptables_initrc_exec_t) + +type iptables_conf_t; +files_config_file(iptables_conf_t) + +type iptables_tmp_t; +files_tmp_file(iptables_tmp_t) + +type iptables_var_run_t; +files_pid_file(iptables_var_run_t) + +######################################## +# +# Iptables local policy +# + +allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; +dontaudit iptables_t self:capability sys_tty_config; +allow iptables_t self:fifo_file rw_fifo_file_perms; +allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +allow iptables_t self:netlink_socket create_socket_perms; +allow iptables_t self:rawip_socket create_socket_perms; + +manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) +files_etc_filetrans(iptables_t, iptables_conf_t, file) + +manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) +files_pid_filetrans(iptables_t, iptables_var_run_t, file) + +can_exec(iptables_t, iptables_exec_t) + +allow iptables_t iptables_tmp_t:dir manage_dir_perms; +allow iptables_t iptables_tmp_t:file manage_file_perms; +files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) + +kernel_request_load_module(iptables_t) +kernel_read_system_state(iptables_t) +kernel_read_network_state(iptables_t) +kernel_read_kernel_sysctls(iptables_t) +kernel_read_modprobe_sysctls(iptables_t) +kernel_use_fds(iptables_t) + +# needed by ipvsadm +corecmd_exec_bin(iptables_t) +corecmd_exec_shell(iptables_t) + +corenet_relabelto_all_packets(iptables_t) +corenet_dontaudit_rw_tun_tap_dev(iptables_t) + +dev_read_sysfs(iptables_t) + +fs_getattr_xattr_fs(iptables_t) +fs_search_auto_mountpoints(iptables_t) +fs_list_inotifyfs(iptables_t) + +mls_file_read_all_levels(iptables_t) + +term_dontaudit_use_console(iptables_t) + +domain_use_interactive_fds(iptables_t) + +files_read_etc_files(iptables_t) +files_read_etc_runtime_files(iptables_t) + +auth_use_nsswitch(iptables_t) + +init_use_fds(iptables_t) +init_use_script_ptys(iptables_t) +# to allow rules to be saved on reboot: +init_rw_script_tmp_files(iptables_t) +init_rw_script_stream_sockets(iptables_t) + +logging_send_syslog_msg(iptables_t) + +miscfiles_read_localization(iptables_t) + +sysnet_run_ifconfig(iptables_t, iptables_roles) +sysnet_dns_name_resolve(iptables_t) + +userdom_use_user_terminals(iptables_t) +userdom_use_all_users_fds(iptables_t) + +ifdef(`hide_broken_symptoms',` + dev_dontaudit_write_mtrr(iptables_t) +') + +optional_policy(` + fail2ban_append_log(iptables_t) +') + +optional_policy(` + firstboot_use_fds(iptables_t) + firstboot_rw_pipes(iptables_t) +') + +optional_policy(` + modutils_run_insmod(iptables_t, iptables_roles) +') + +optional_policy(` + # for iptables -L + nis_use_ypbind(iptables_t) +') + +optional_policy(` + ppp_dontaudit_use_fds(iptables_t) +') + +optional_policy(` + psad_rw_tmp_files(iptables_t) +') + +optional_policy(` + rhgb_dontaudit_use_ptys(iptables_t) +') + +optional_policy(` + seutil_sigchld_newrole(iptables_t) +') + +optional_policy(` + shorewall_read_tmp_files(iptables_t) + shorewall_rw_lib_files(iptables_t) + shorewall_read_config(iptables_t) +') + +optional_policy(` + udev_read_db(iptables_t) +') |