[selinux-policy: 2424/3172] Shorewall patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:35:05 UTC 2010
commit fa03ecc046ecc6dc50d41847887ea50cb861420f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 19 11:53:19 2010 -0500
Shorewall patch from Dan Walsh.
policy/modules/admin/shorewall.fc | 3 +-
policy/modules/admin/shorewall.if | 40 +++++++++++++++++++++++++++++++++++++
policy/modules/admin/shorewall.te | 4 ++-
3 files changed, 45 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
index 288ece1..6286e2b 100644
--- a/policy/modules/admin/shorewall.fc
+++ b/policy/modules/admin/shorewall.fc
@@ -4,8 +4,9 @@
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 1d3bade..b151a1f 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -75,6 +75,46 @@ interface(`shorewall_rw_pid_files',`
rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
+######################################
+## <summary>
+## Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_lib_files',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_lib_files',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
#######################################
## <summary>
## All of the rules required to administrate
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
index 1ad6de7..625341e 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -1,5 +1,5 @@
-policy_module(shorewall, 1.0.0)
+policy_module(shorewall, 1.0.1)
########################################
#
@@ -80,6 +80,8 @@ miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
+userdom_dontaudit_list_user_home_dirs(shorewall_t)
+
optional_policy(`
iptables_domtrans(shorewall_t)
')
More information about the scm-commits
mailing list