Iptables patch from Dan Walsh.

This commit is contained in:
Chris PeBenito 2010-03-18 08:10:21 -04:00
parent a124c0a81f
commit 4fbcd778de
2 changed files with 8 additions and 2 deletions

View File

@ -107,7 +107,7 @@ interface(`shorewall_read_lib_files',`
# #
interface(`shorewall_rw_lib_files',` interface(`shorewall_rw_lib_files',`
gen_require(` gen_require(`
type shorewall_t; type shorewall_var_lib_t;
') ')
files_search_var_lib($1) files_search_var_lib($1)

View File

@ -1,5 +1,5 @@
policy_module(iptables, 1.10.1) policy_module(iptables, 1.10.2)
######################################## ########################################
# #
@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config; dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms;
@ -53,6 +54,7 @@ kernel_read_modprobe_sysctls(iptables_t)
kernel_use_fds(iptables_t) kernel_use_fds(iptables_t)
corenet_relabelto_all_packets(iptables_t) corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t) dev_read_sysfs(iptables_t)
@ -121,6 +123,10 @@ optional_policy(`
seutil_sigchld_newrole(iptables_t) seutil_sigchld_newrole(iptables_t)
') ')
optional_policy(`
shorewall_rw_lib_files(iptables_t)
')
optional_policy(` optional_policy(`
udev_read_db(iptables_t) udev_read_db(iptables_t)
') ')