1 |
commit: 4929259123b905a9d2d131e56f52683cce3d4759 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Nov 9 09:44:57 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Dec 6 17:31:16 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=49292591 |
7 |
|
8 |
iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian. |
9 |
|
10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
11 |
|
12 |
--- |
13 |
policy/modules/system/iptables.te | 6 ++++++ |
14 |
1 file changed, 6 insertions(+) |
15 |
|
16 |
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te |
17 |
index be8ed1e..63eb287 100644 |
18 |
--- a/policy/modules/system/iptables.te |
19 |
+++ b/policy/modules/system/iptables.te |
20 |
@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; |
21 |
allow iptables_t iptables_tmp_t:file manage_file_perms; |
22 |
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) |
23 |
|
24 |
+kernel_getattr_proc(iptables_t) |
25 |
kernel_request_load_module(iptables_t) |
26 |
kernel_read_system_state(iptables_t) |
27 |
kernel_read_network_state(iptables_t) |
28 |
@@ -105,6 +106,11 @@ optional_policy(` |
29 |
') |
30 |
|
31 |
optional_policy(` |
32 |
+ firewalld_read_config_files(iptables_t) |
33 |
+ firewalld_dontaudit_rw_tmp_files(iptables_t) |
34 |
+') |
35 |
+ |
36 |
+optional_policy(` |
37 |
firstboot_use_fds(iptables_t) |
38 |
firstboot_rw_pipes(iptables_t) |
39 |
') |