From 625be1b4e6b4cc7926379891b50ef95dfb96f139 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 2 Sep 2009 08:58:52 -0400 Subject: [PATCH] add shorewall from dan. --- Changelog | 1 + policy/modules/admin/shorewall.fc | 11 +++ policy/modules/admin/shorewall.if | 124 ++++++++++++++++++++++++++++++ policy/modules/admin/shorewall.te | 93 ++++++++++++++++++++++ policy/modules/system/iptables.fc | 2 - policy/modules/system/iptables.te | 2 +- 6 files changed, 230 insertions(+), 3 deletions(-) create mode 100644 policy/modules/admin/shorewall.fc create mode 100644 policy/modules/admin/shorewall.if create mode 100644 policy/modules/admin/shorewall.te diff --git a/Changelog b/Changelog index 51dceb7e..e0331c3a 100644 --- a/Changelog +++ b/Changelog @@ -11,6 +11,7 @@ - Added modules: hddtemp (Dan Walsh) kdump (Dan Walsh) + shorewall (Dan Walsh) * Thu Jul 30 2009 Chris PeBenito - 2.20090730 - Gentoo fixes for init scripts and system startup. diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc new file mode 100644 index 00000000..288ece1f --- /dev/null +++ b/policy/modules/admin/shorewall.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) +/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) + +/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) +/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) + +/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0) +/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + +/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if new file mode 100644 index 00000000..1d3badea --- /dev/null +++ b/policy/modules/admin/shorewall.if @@ -0,0 +1,124 @@ +## Shoreline Firewall high-level tool for configuring netfilter + +######################################## +## +## Execute a domain transition to run shorewall. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`shorewall_domtrans',` + gen_require(` + type shorewall_t, shorewall_exec_t; + ') + + domtrans_pattern($1, shorewall_exec_t, shorewall_t) +') + +####################################### +## +## Read shorewall etc configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_read_config',` + gen_require(` + type shorewall_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) +') + +####################################### +## +## Read shorewall PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_read_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +####################################### +## +## Read and write shorewall PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`shorewall_rw_pid_files',` + gen_require(` + type shorewall_var_run_t; + ') + + files_search_pids($1) + rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) +') + +####################################### +## +## All of the rules required to administrate +## an shorewall environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the syslog domain. +## +## +## +# +interface(`shorewall_admin',` + gen_require(` + type shorewall_t, shorewall_var_run_t, shorewall_lock_t; + type shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_tmp_t; + ') + + allow $1 shorewall_t:process { ptrace signal_perms }; + ps_process_pattern($1, shorewall_t) + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, shorewall_etc_t) + + files_search_locks($1) + admin_pattern($1, shorewall_lock_t) + + files_search_pids($1) + admin_pattern($1, shorewall_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, shorewall_var_lib_t) + + files_search_tmp($1) + admin_pattern($1, shorewall_tmp_t) +') diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te new file mode 100644 index 00000000..1ad6de74 --- /dev/null +++ b/policy/modules/admin/shorewall.te @@ -0,0 +1,93 @@ + +policy_module(shorewall, 1.0.0) + +######################################## +# +# Declarations +# + +type shorewall_t; +type shorewall_exec_t; +init_daemon_domain(shorewall_t, shorewall_exec_t) + +type shorewall_initrc_exec_t; +init_script_file(shorewall_initrc_exec_t) + +# etc files +type shorewall_etc_t; +files_config_file(shorewall_etc_t) + +# lock files +type shorewall_lock_t; +files_lock_file(shorewall_lock_t) + +# tmp files +type shorewall_tmp_t; +files_tmp_file(shorewall_tmp_t) + +# var/lib files +type shorewall_var_lib_t; +files_type(shorewall_var_lib_t) + +######################################## +# +# shorewall local policy +# + +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; +dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:fifo_file rw_fifo_file_perms; + +read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) +list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) + +manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) +files_lock_filetrans(shorewall_t, shorewall_lock_t, file) + +exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) +files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) + +manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) +files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) + +kernel_read_kernel_sysctls(shorewall_t) +kernel_read_network_state(shorewall_t) +kernel_read_system_state(shorewall_t) +kernel_rw_net_sysctls(shorewall_t) + +corecmd_exec_bin(shorewall_t) +corecmd_exec_shell(shorewall_t) + +dev_read_urand(shorewall_t) + +domain_read_all_domains_state(shorewall_t) + +files_getattr_kernel_modules(shorewall_t) +files_read_etc_files(shorewall_t) +files_read_usr_files(shorewall_t) +files_search_kernel_modules(shorewall_t) + +fs_getattr_all_fs(shorewall_t) + +init_rw_utmp(shorewall_t) + +logging_send_syslog_msg(shorewall_t) + +miscfiles_read_localization(shorewall_t) + +sysnet_domtrans_ifconfig(shorewall_t) + +optional_policy(` + iptables_domtrans(shorewall_t) +') + +optional_policy(` + modutils_domtrans_insmod(shorewall_t) +') + +optional_policy(` + ulogd_search_log(shorewall_t) +') diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index cc04d8d8..ac6c7899 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -5,5 +5,3 @@ /usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - -/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 79a89e85..b70500e4 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables, 1.9.0) +policy_module(iptables, 1.9.1) ######################################## #