#
# Authors:  Justin Smith <jsmith@mcs.drexel.edu>
#

# add iptables_t to system_r (from rbac)
role system_r types iptables_t;

# add iptable_t o sysadm_r (from rbac)
role sysadm_r types iptables_t;

# allow the admin to enter iptables_t domain (from sysadm.te)
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
# allow output (from sysadm.te)
allow iptables_t sysadm_tty_device_t:chr_file rw_file_perms;
allow iptables_t sysadm_devpts_t:chr_file rw_file_perms;
allow iptables_t sysadm_gph_t:fd inherit_fd_perms;
 
#
# Rules for the iptables_t domain.
#
type iptables_t, domain, privlog;
type iptables_exec_t, file_type, sysadmfile, exec_type;
type iptables_var_run_t, file_type, sysadmfile, pidfile;

# run insmod and ifconfig with new domain
domain_auto_trans(iptables_t, insmod_exec_t, insmod_t)
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)

# set pid files ( hold over from ipchains)
file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t)

# Inherit and use descriptors from init.
allow iptables_t init_t:fd inherit_fd_perms;

allow iptables_t bin_t:file { execute execute_no_trans };
allow iptables_t iptables_exec_t:file { execute_no_trans };
allow iptables_t iptables_t:capability { net_admin net_raw };
allow iptables_t iptables_t:rawip_socket { create setopt getopt };