#DESC Ipchains - IP packet filter administration # # Authors: Justin Smith <jsmith@mcs.drexel.edu> # Russell Coker <russell@coker.com.au> # X-Debian-Packages: ipchains iptables # # # Rules for the iptables_t domain. # daemon_base_domain(iptables, `, privmodule') role sysadm_r types iptables_t; domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t) ifdef(`modutil.te', ` # for modprobe allow iptables_t sbin_t:dir search; allow iptables_t sbin_t:lnk_file read; ') read_locale(iptables_t) # to allow rules to be saved on reboot allow iptables_t initrc_tmp_t:file rw_file_perms; domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t) allow iptables_t var_t:dir search; var_run_domain(iptables) allow iptables_t self:process { fork signal_perms }; allow iptables_t { sysctl_t sysctl_kernel_t }:dir search; allow iptables_t sysctl_modprobe_t:file { getattr read }; tmp_domain(iptables) # for iptables -L allow iptables_t self:unix_stream_socket create_socket_perms; can_resolve(iptables_t) can_ypbind(iptables_t) allow iptables_t iptables_exec_t:file execute_no_trans; allow iptables_t self:capability { net_admin net_raw }; allow iptables_t self:rawip_socket create_socket_perms; allow iptables_t etc_t:file { getattr read }; allow iptables_t fs_t:filesystem getattr; allow iptables_t { userdomain kernel_t }:fd use; # Access terminals. allow iptables_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;') allow iptables_t proc_t:file { getattr read }; allow iptables_t proc_net_t:dir search; allow iptables_t proc_net_t:file { read getattr }; # system-config-network appends to /var/log allow iptables_t var_log_t:file append; ifdef(`firstboot.te', ` allow iptables_t firstboot_t:fifo_file write; ')