[selinux-policy: 2547/3172] Iptables patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:46:23 UTC 2010
commit 4fbcd778def09a63cdd0a3d75f74942808e43807
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Mar 18 08:10:21 2010 -0400
Iptables patch from Dan Walsh.
policy/modules/admin/shorewall.if | 2 +-
policy/modules/system/iptables.te | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index b151a1f..0948921 100644
--- a/policy/modules/admin/shorewall.if
+++ b/policy/modules/admin/shorewall.if
@@ -107,7 +107,7 @@ interface(`shorewall_read_lib_files',`
#
interface(`shorewall_rw_lib_files',`
gen_require(`
- type shorewall_t;
+ type shorewall_var_lib_t;
')
files_search_var_lib($1)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7626034..d83532b 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
-policy_module(iptables, 1.10.1)
+policy_module(iptables, 1.10.2)
########################################
#
@@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:rawip_socket create_socket_perms;
@@ -53,6 +54,7 @@ kernel_read_modprobe_sysctls(iptables_t)
kernel_use_fds(iptables_t)
corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -122,5 +124,9 @@ optional_policy(`
')
optional_policy(`
+ shorewall_rw_lib_files(iptables_t)
+')
+
+optional_policy(`
udev_read_db(iptables_t)
')
More information about the scm-commits
mailing list