[selinux-policy: 2424/3172] Shorewall patch from Dan Walsh.

Thu Oct 7 22:35:05 UTC 2010

commit fa03ecc046ecc6dc50d41847887ea50cb861420f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 19 11:53:19 2010 -0500

    Shorewall patch from Dan Walsh.

 policy/modules/admin/shorewall.fc |    3 +-
 policy/modules/admin/shorewall.if |   40 +++++++++++++++++++++++++++++++++++++
 policy/modules/admin/shorewall.te |    4 ++-
 3 files changed, 45 insertions(+), 2 deletions(-)
---

diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
index 288ece1..6286e2b 100644
--- a/policy/modules/admin/shorewall.fc
+++ b/policy/modules/admin/shorewall.fc
@@ -4,8 +4,9 @@
 /etc/shorewall(/.*)?				gen_context(system_u:object_r:shorewall_etc_t,s0)
 /etc/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_etc_t,s0)
 
-/sbin/shorewall				--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall6?			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
 /sbin/shorewall-lite			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
 
 /var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
 /var/lib/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 1d3bade..b151a1f 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -75,6 +75,46 @@ interface(`shorewall_rw_pid_files',`
 	rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
 ')
 
+######################################
+## <summary>
+##      Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_read_lib_files',`
+        gen_require(`
+                type shorewall_t;
+       ')
+
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+##      Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`shorewall_rw_lib_files',`
+        gen_require(`
+                type shorewall_t;
+       ')
+
+        files_search_var_lib($1)
+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
 #######################################
 ## <summary>
 ##	All of the rules required to administrate 
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
index 1ad6de7..625341e 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -1,5 +1,5 @@
 
-policy_module(shorewall, 1.0.0)
+policy_module(shorewall, 1.0.1)
 
 ########################################
 #
@@ -80,6 +80,8 @@ miscfiles_read_localization(shorewall_t)
 
 sysnet_domtrans_ifconfig(shorewall_t)
 
+userdom_dontaudit_list_user_home_dirs(shorewall_t)
+
 optional_policy(`
 	iptables_domtrans(shorewall_t)
 ')
