diff --git a/shorewall.fc b/shorewall.fc
index ad1c483..b98201c 100644
--- a/shorewall.fc
+++ b/shorewall.fc
@@ -7,6 +7,9 @@
/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff --git a/shorewall.if b/shorewall.if
index 9574bb5..1aeef8a 100644
--- a/shorewall.if
+++ b/shorewall.if
@@ -1,4 +1,4 @@
-## Shoreline Firewall high-level tool for configuring netfilter
+## Shoreline Firewall high-level tool for configuring netfilter.
########################################
##
@@ -15,6 +15,7 @@ interface(`shorewall_domtrans',`
type shorewall_t, shorewall_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
')
@@ -33,12 +34,13 @@ interface(`shorewall_lib_domtrans',`
type shorewall_t, shorewall_var_lib_t;
')
+ files_search_var_lib($1)
domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
')
#######################################
##
-## Read shorewall etc configuration files.
+## Read shorewall configuration files.
##
##
##
@@ -57,7 +59,7 @@ interface(`shorewall_read_config',`
#######################################
##
-## Read shorewall PID files.
+## Read shorewall pid files.
##
##
##
@@ -76,7 +78,7 @@ interface(`shorewall_read_pid_files',`
#######################################
##
-## Read and write shorewall PID files.
+## Read and write shorewall pid files.
##
##
##
@@ -95,47 +97,45 @@ interface(`shorewall_rw_pid_files',`
######################################
##
-## Read shorewall /var/lib files.
+## Read shorewall lib files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`shorewall_read_lib_files',`
- gen_require(`
- type shorewall_t;
- ')
+ gen_require(`
+ type shorewall_var_lib_t;
+ ')
- files_search_var_lib($1)
- search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_search_var_lib($1)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
')
#######################################
##
-## Read and write shorewall /var/lib files.
+## Read and write shorewall lib files.
##
##
-##
-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
interface(`shorewall_rw_lib_files',`
- gen_require(`
- type shorewall_var_lib_t;
- ')
+ gen_require(`
+ type shorewall_var_lib_t;
+ ')
- files_search_var_lib($1)
- search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_search_var_lib($1)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
')
#######################################
##
-## Read shorewall tmp files.
+## Read shorewall temporary files.
##
##
##
@@ -154,8 +154,8 @@ interface(`shorewall_read_tmp_files',`
#######################################
##
-## All of the rules required to administrate
-## an shorewall environment
+## All of the rules required to
+## administrate an shorewall environment.
##
##
##
@@ -164,17 +164,15 @@ interface(`shorewall_read_tmp_files',`
##
##
##
-## The role to be allowed to manage the syslog domain.
+## Role allowed access.
##
##
##
#
interface(`shorewall_admin',`
gen_require(`
- type shorewall_t, shorewall_lock_t;
- type shorewall_log_t;
- type shorewall_exec_t;
- type shorewall_initrc_exec_t, shorewall_var_lib_t;
+ type shorewall_t, shorewall_lock_t, shorewall_log_t;
+ type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t, shorewall_etc_t;
')
diff --git a/shorewall.te b/shorewall.te
index 1bc340d..76ac110 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -1,4 +1,4 @@
-policy_module(shorewall, 1.3.1)
+policy_module(shorewall, 1.3.2)
########################################
#
@@ -12,21 +12,16 @@ init_daemon_domain(shorewall_t, shorewall_exec_t)
type shorewall_initrc_exec_t;
init_script_file(shorewall_initrc_exec_t)
-# etc files
type shorewall_etc_t;
files_config_file(shorewall_etc_t)
-# lock files
type shorewall_lock_t;
files_lock_file(shorewall_lock_t)
-# tmp files
type shorewall_tmp_t;
files_tmp_file(shorewall_tmp_t)
-# var/lib files
type shorewall_var_lib_t;
-files_type(shorewall_var_lib_t)
domain_entry_file(shorewall_t, shorewall_var_lib_t)
type shorewall_log_t;
@@ -34,10 +29,10 @@ logging_log_file(shorewall_log_t)
########################################
#
-# shorewall local policy
+# Local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
@@ -47,8 +42,10 @@ list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
-manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
@@ -75,14 +72,16 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
-files_read_etc_files(shorewall_t)
files_read_usr_files(shorewall_t)
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
+auth_use_nsswitch(shorewall_t)
+
init_rw_utmp(shorewall_t)
+logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
miscfiles_read_localization(shorewall_t)
@@ -90,6 +89,11 @@ miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_use_user_terminals(shorewall_t)
+
+optional_policy(`
+ brctl_domtrans(shorewall_t)
+')
optional_policy(`
hostname_exec(shorewall_t)