|
 |
1ec3d1a |
|
|
|
1ec3d1a |
policy_module(firewalld,1.0.0)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type firewalld_t;
|
|
|
1ec3d1a |
type firewalld_exec_t;
|
|
|
1ec3d1a |
init_daemon_domain(firewalld_t, firewalld_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type firewalld_initrc_exec_t;
|
|
|
1ec3d1a |
init_script_file(firewalld_initrc_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type firewalld_etc_rw_t;
|
|
|
1ec3d1a |
files_config_file(firewalld_etc_rw_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type firewalld_var_log_t;
|
|
|
1ec3d1a |
logging_log_file(firewalld_var_log_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type firewalld_var_run_t;
|
|
|
1ec3d1a |
files_pid_file(firewalld_var_run_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type firewalld_unit_file_t;
|
|
|
1ec3d1a |
systemd_unit_file(firewalld_unit_file_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# firewalld local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
dontaudit firewalld_t self:capability sys_tty_config;
|
|
|
1ec3d1a |
allow firewalld_t self:fifo_file rw_fifo_file_perms;
|
|
|
1ec3d1a |
allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
|
|
1ec3d1a |
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
|
|
|
1ec3d1a |
create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
|
|
|
1ec3d1a |
read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
|
|
|
1ec3d1a |
setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
|
|
|
1ec3d1a |
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
# should be fixed to cooperate with systemd to create /var/run/firewalld directory
|
|
|
1ec3d1a |
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
|
|
|
1ec3d1a |
files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_network_state(firewalld_t)
|
|
|
1ec3d1a |
kernel_read_system_state(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_exec_bin(firewalld_t)
|
|
|
1ec3d1a |
corecmd_exec_shell(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dev_read_urand(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domain_use_interactive_fds(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_read_etc_files(firewalld_t)
|
|
|
1ec3d1a |
files_read_usr_files(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
fs_getattr_xattr_fs(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
auth_read_passwd(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_send_syslog_msg(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
miscfiles_read_localization(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
seutil_exec_setfiles(firewalld_t)
|
|
|
1ec3d1a |
seutil_read_file_contexts(firewalld_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
policykit_dbus_chat(firewalld_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
networkmanager_dbus_chat(firewalld_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
iptables_domtrans(firewalld_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
modutils_domtrans_insmod(firewalld_t)
|
|
|
1ec3d1a |
')
|