rpms / selinux-policy

Clone
Source Code
GIT

Blame mls/domains/program/iptables.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   7e0fa55f06a210c3ff6e09ae70dbfc30bfffc2b0
  2.   mls
  3.   domains
  4.   program
  5.   iptables.te
Blob History Raw
Chris PeBenito 31b7c0 
#DESC Ipchains - IP packet filter administration
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Authors:  Justin Smith <jsmith@mcs.drexel.edu>
Chris PeBenito 31b7c0 
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0 
# X-Debian-Packages: ipchains iptables
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Rules for the iptables_t domain.
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
daemon_base_domain(iptables, `, privmodule')
Chris PeBenito 31b7c0 
role sysadm_r types iptables_t;
Chris PeBenito 31b7c0 
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`modutil.te', `
Chris PeBenito 31b7c0 
# for modprobe
Chris PeBenito 31b7c0 
allow iptables_t sbin_t:dir search;
Chris PeBenito 31b7c0 
allow iptables_t sbin_t:lnk_file read;
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
read_locale(iptables_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# to allow rules to be saved on reboot
Chris PeBenito 31b7c0 
allow iptables_t initrc_tmp_t:file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito 31b7c0 
allow iptables_t var_t:dir search;
Chris PeBenito 31b7c0 
var_run_domain(iptables)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow iptables_t self:process { fork signal_perms };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
Chris PeBenito 31b7c0 
allow iptables_t sysctl_modprobe_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
tmp_domain(iptables)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# for iptables -L
Chris PeBenito 31b7c0 
allow iptables_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0 
can_resolve(iptables_t)
Chris PeBenito 31b7c0 
can_ypbind(iptables_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow iptables_t iptables_exec_t:file execute_no_trans;
Chris PeBenito 31b7c0 
allow iptables_t self:capability { net_admin net_raw };
Chris PeBenito 31b7c0 
allow iptables_t self:rawip_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow iptables_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow iptables_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0 
allow iptables_t { userdomain kernel_t }:fd use;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Access terminals.
Chris PeBenito 31b7c0 
allow iptables_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 31b7c0 
ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow iptables_t proc_t:file { getattr read };
Chris PeBenito 31b7c0 
allow iptables_t proc_net_t:dir search;
Chris PeBenito 31b7c0 
allow iptables_t proc_net_t:file { read getattr };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# system-config-network appends to /var/log
Chris PeBenito 31b7c0 
allow iptables_t var_log_t:file append;
Chris PeBenito 31b7c0 
ifdef(`firstboot.te', `
Chris PeBenito 31b7c0 
allow iptables_t firstboot_t:fifo_file write;
Chris PeBenito 31b7c0 
')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation