## ## Policy for iptables. ######################################## ## ## ## Execute iptables in the iptables domain. ## ## ## The type of the process performing this action. ## ## # define(`iptables_domtrans',` requires_block_template(`$0'_depend) allow $1 iptables_exec_t:file rx_file_perms; allow $1 iptables_t:process transition; type_transition $1 iptables_exec_t:process iptables_t; dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh }; allow $1 iptables_t:fd use; allow iptables_t $1:fd use; allow iptables_t $1:fifo_file rw_file_perms; allow iptables_t $1:process sigchld; ') define(`iptables_domtrans_depend',` type iptables_t, iptables_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the iptables domain. ## ## ## The type of the terminal allow the iptables domain to use. ## ## # define(`iptables_run',` requires_block_template(`$0'_depend) iptables_domtrans($1) role $2 types iptables_t; allow iptables_t $3:chr_file { getattr read write ioctl }; ') define(`iptables_run_depend',` type iptables_t; class chr_file { getattr read write ioctl }; ') ######################################## ## ## ## Execute iptables in the caller domain. ## ## ## The type of the process performing this action. ## ## # define(`iptables_exec',` requires_block_template(`$0'_depend) can_exec($1,iptables_exec_t) ') define(`iptables_exec_depend',` type iptables_t, iptables_exec_t; class file { getattr read execute execute_no_trans }; ') ##