diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if index b151a1f..0948921 100644 --- a/policy/modules/admin/shorewall.if +++ b/policy/modules/admin/shorewall.if @@ -107,7 +107,7 @@ interface(`shorewall_read_lib_files',` # interface(`shorewall_rw_lib_files',` gen_require(` - type shorewall_t; + type shorewall_var_lib_t; ') files_search_var_lib($1) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 7626034..d83532b 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,5 +1,5 @@ -policy_module(iptables, 1.10.1) +policy_module(iptables, 1.10.2) ######################################## # @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t) allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; +allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; @@ -53,6 +54,7 @@ kernel_read_modprobe_sysctls(iptables_t) kernel_use_fds(iptables_t) corenet_relabelto_all_packets(iptables_t) +corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -122,5 +124,9 @@ optional_policy(` ') optional_policy(` + shorewall_rw_lib_files(iptables_t) +') + +optional_policy(` udev_read_db(iptables_t) ')