rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
dd14d0d892
selinux-policy/refpolicy/policy/modules/system/iptables.te
Chris PeBenito dd14d0d892 change read_shared_libraries to use_shared_libraries, since the execute 
permission is checked when using shared libs to execute code in them, which
is not the same as just reading the shared libs.
2005-05-17 15:32:52 +00:00

123 lines
3.4 KiB
Plaintext
Raw Blame History

# Copyright (C) 2005 Tresys Technology, LLC
policy_module(iptables, 1.0)
########################################
#
# Declarations
#
type iptables_t;
type iptables_exec_t;
init_make_system_domain(iptables_t,iptables_exec_t)
role system_r types iptables_t;
type iptables_tmp_t;
files_make_temporary_file(iptables_tmp_t)
type iptables_var_run_t;
files_make_daemon_runtime_file(iptables_var_run_t)
########################################
#
# Iptables local policy
#
allow iptables_t self:capability { net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t iptables_var_run_t:dir { ioctl read getattr lock write append };
files_create_daemon_runtime_data(iptables_t,iptables_var_run_t)
allow iptables_t iptables_exec_t:file { getattr read execute execute_no_trans };
allow iptables_t iptables_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow iptables_t iptables_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir })
allow iptables_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
kernel_read_hardware_state(iptables_t)
kernel_read_kernel_sysctl(iptables_t)
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_file_descriptors(iptables_t)
filesystem_get_persistent_filesystem_attributes(iptables_t)
terminal_ignore_use_console(iptables_t)
init_use_file_descriptors(iptables_t)
init_script_use_pseudoterminal(iptables_t)
domain_use_widely_inheritable_file_descriptors(iptables_t)
files_read_general_system_config(iptables_t)
libraries_use_dynamic_loader(iptables_t)
libraries_use_shared_libraries(iptables_t)
logging_send_system_log_message(iptables_t)
# system-config-network appends to /var/log
#logging_append_system_logs(iptables_t)
miscfiles_read_localization(iptables_t)
sysnetwork_ifconfig_transition(iptables_t)
optional_policy(`modutils.te', `
modutils_insmod_transition(iptables_t)
')
optional_policy(`selinux.te',`
selinux_newrole_sigchld(iptables_t)
')
optional_policy(`udev.te', `
udev_read_database(iptables_t)
')
tunable_policy(`targeted_policy', `
terminal_ignore_use_general_physical_terminal(iptables_t)
terminal_ignore_use_general_pseudoterminal(iptables_t)
files_ignore_read_rootfs_file(iptables_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te', `
allow iptables_t rhgb_t:process sigchld;
allow iptables_t rhgb_t:fd use;
allow iptables_t rhgb_t:fifo_file { read write };
')
dontaudit iptables_t unpriv_userdomain:fd use;
allow iptables_t autofs_t:dir { search getattr };
tunable_policy(`direct_sysadm_daemon', `
dontaudit iptables_t admin_tty_type:chr_file rw_file_perms;
')
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
role sysadm_r types iptables_t;
# to allow rules to be saved on reboot
allow iptables_t initrc_tmp_t:file rw_file_perms;
# for iptables -L
can_resolve(iptables_t)
can_ypbind(iptables_t)
allow iptables_t userdomain:fd use;
# Access terminals.
allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
optional_policy(`gnome-pty-helper.te',`
allow iptables_t sysadm_gph_t:fd use;
')
optional_policy(`firstboot.te', `
allow iptables_t firstboot_t:fifo_file write;
')
') dnl ifdef TODO
Reference in New Issue View Git Blame Copy Permalink