Re: iptables.te errors

[Shaun Savage <savages@pcez.com>]

[-- Attachment #1: Type: text/plain, Size: 2072 bytes --]

Thanks it works

I have a iptables.te with some documentation.  Here is what I learned.
you need to add
role sysadm_r types DOMAIN_T
This allows the DOMAIN_T from sysadm_r role, the same for system_r

Allow the change from sysadm_t to DOMAIN_T
domain_auto_trans(sysadm_t, DOMAIN_EXEC_T,DOMAIN_T)
when execute a program of type DOMAIN_EXEC_T from sysadm_t
the new  domain is DOMAIN_T

Next allow input/output
allow DOMAIN_T sysadm_tty_device_t:chr_file rw_file_perms;
allow DOMAIN_T sysadm_devpts_t:chr_file rw_file_perms;
allow DOMAIN_T sysadm_gph_t:fd inherent_fd_perms;




Paul Krumviede wrote:

> --On Sunday, 16 December, 2001 10:06 -0800 Shaun Savage 
> <savages@pcez.com> wrote:
>
>> HI
>> I am having a hard time with getting courier to work that I decided to
>> try somwthing easier. iptables. Attached is the te file that I am using.
>> During make load I get the error
>>
>> security: context system_u:system_r:iptables_t is invalid
>
>
> iptables_t needs to be added to the allowed set of types
> for the system_r role. this can be done in policy/rbac or
> it can be added to iptables.te (i prefer the latter since
> it makes the .te file relatively self-contained, but at the
> expense of not having all the allowed types for a given
> role in one place to look at; tastes may vary).
>
>> the during the command iptables -t nat -L
>> I get the errors
>> avc: denied { create } for pid=9757 exe=/sbin/iptables
>> scontext=root:sysadmin_r:sysadmin_t tcontext=root_u:sysadm_r:sysadm_t
>> tclass=rawip_socket avc: denied { getopt } for pid=9757
>> exe=/sbin/iptables scontext=root:sysadmin_r:sysadmin_t
>> tcontext=root_u:sysadm_r:sysadm_t tclass=rawip_socket
>
>
> there is no rule to change the domain of the process when
> iptables is run in the system administrator role (nor does
> there seem to be domain transition rule for when ipchains
> is run by init). this could be added in policy/domains/admin/sysadm.te
> or in iptables.te (similarly, a domain transition rule could be added
> to policy/domains/system/initrc.te or to iptables.te).
>
> -paul
>
>



[-- Attachment #2: iptables.te --]
[-- Type: text/plain, Size: 1308 bytes --]

#
# Authors:  Justin Smith <jsmith@mcs.drexel.edu>
#

# add iptables_t to system_r (from rbac)
role system_r types iptables_t;

# add iptable_t o sysadm_r (from rbac)
role sysadm_r types iptables_t;

# allow the admin to enter iptables_t domain (from sysadm.te)
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
# allow output (from sysadm.te)
allow iptables_t sysadm_tty_device_t:chr_file rw_file_perms;
allow iptables_t sysadm_devpts_t:chr_file rw_file_perms;
allow iptables_t sysadm_gph_t:fd inherit_fd_perms;
 
#
# Rules for the iptables_t domain.
#
type iptables_t, domain, privlog;
type iptables_exec_t, file_type, sysadmfile, exec_type;
type iptables_var_run_t, file_type, sysadmfile, pidfile;

# run insmod and ifconfig with new domain
domain_auto_trans(iptables_t, insmod_exec_t, insmod_t)
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)

# set pid files ( hold over from ipchains)
file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t)

# Inherit and use descriptors from init.
allow iptables_t init_t:fd inherit_fd_perms;

allow iptables_t bin_t:file { execute execute_no_trans };
allow iptables_t iptables_exec_t:file { execute_no_trans };
allow iptables_t iptables_t:capability { net_admin net_raw };
allow iptables_t iptables_t:rawip_socket { create setopt getopt };