system-config-service of iptables needs this patch to work in targeted policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* system-config-service of iptables needs this patch to work in targeted policy
@ 2007-03-08 14:46 Daniel J Walsh
  2007-03-26 19:43 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2007-03-08 14:46 UTC (permalink / raw)
  To: Christopher J. PeBenito, SE Linux

[-- Attachment #1: Type: text/plain, Size: 107 bytes --]

Basically iptables needs to be able to output to the terminal and talk 
to unconfined_pipes from the tool.

[-- Attachment #2: nsaserefpolicy_policy_modules_system_iptables.patch --]
[-- Type: text/x-patch, Size: 676 bytes --]

--- nsaserefpolicy/policy/modules/system/iptables.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/system/iptables.te	2007-03-08 08:42:37.000000000 -0500
@@ -77,9 +77,10 @@
 userdom_use_all_users_fds(iptables_t)
 
 ifdef(`targeted_policy', `
-	term_dontaudit_use_unallocated_ttys(iptables_t)
-	term_dontaudit_use_generic_ptys(iptables_t)
+	term_use_unallocated_ttys(iptables_t)
+	term_use_generic_ptys(iptables_t)
 	files_dontaudit_read_root_files(iptables_t)
+ 	unconfined_rw_pipes(iptables_t)
 ')
 
 optional_policy(`
@@ -111,3 +112,7 @@
 optional_policy(`
 	udev_read_db(iptables_t)
 ')
+
+optional_policy(`
+	fail2ban_append_log(iptables_t)
+')

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: system-config-service of iptables needs this patch to work in targeted policy
  2007-03-08 14:46 system-config-service of iptables needs this patch to work in targeted policy Daniel J Walsh
@ 2007-03-26 19:43 ` Christopher J. PeBenito
  2007-03-26 20:22   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2007-03-26 19:43 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Thu, 2007-03-08 at 09:46 -0500, Daniel J Walsh wrote:
> Basically iptables needs to be able to output to the terminal and
> talk 
> to unconfined_pipes from the tool.
> 
> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (nsaserefpolicy_policy_modules_system_iptables.patch)
> 
> --- nsaserefpolicy/policy/modules/system/iptables.te    2007-02-19
> 11:32:53.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/iptables.te 2007-03-08
> 08:42:37.000000000 -0500
> @@ -77,9 +77,10 @@
>  userdom_use_all_users_fds(iptables_t)
>  
>  ifdef(`targeted_policy', `
> -       term_dontaudit_use_unallocated_ttys(iptables_t)
> -       term_dontaudit_use_generic_ptys(iptables_t)
> +       term_use_unallocated_ttys(iptables_t)
> +       term_use_generic_ptys(iptables_t)
>         files_dontaudit_read_root_files(iptables_t)
> +       unconfined_rw_pipes(iptables_t)
>  ')
>  
>  optional_policy(`

Merged this part.

> @@ -111,3 +112,7 @@
>  optional_policy(`
>         udev_read_db(iptables_t)
>  ')
> +
> +optional_policy(`
> +       fail2ban_append_log(iptables_t)
> +')
> 

But not this one since it doesn't seem relevant.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: system-config-service of iptables needs this patch to work in targeted policy
  2007-03-26 19:43 ` Christopher J. PeBenito
@ 2007-03-26 20:22   ` Daniel J Walsh
  2007-03-27 12:37     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2007-03-26 20:22 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SE Linux

Christopher J. PeBenito wrote:
> On Thu, 2007-03-08 at 09:46 -0500, Daniel J Walsh wrote:
>   
>> Basically iptables needs to be able to output to the terminal and
>> talk 
>> to unconfined_pipes from the tool.
>>
>>
>>
>>
>>
>>
>>
>> differences
>> between files
>> attachment
>> (nsaserefpolicy_policy_modules_system_iptables.patch)
>>
>> --- nsaserefpolicy/policy/modules/system/iptables.te    2007-02-19
>> 11:32:53.000000000 -0500
>> +++ serefpolicy-2.5.8/policy/modules/system/iptables.te 2007-03-08
>> 08:42:37.000000000 -0500
>> @@ -77,9 +77,10 @@
>>  userdom_use_all_users_fds(iptables_t)
>>  
>>  ifdef(`targeted_policy', `
>> -       term_dontaudit_use_unallocated_ttys(iptables_t)
>> -       term_dontaudit_use_generic_ptys(iptables_t)
>> +       term_use_unallocated_ttys(iptables_t)
>> +       term_use_generic_ptys(iptables_t)
>>         files_dontaudit_read_root_files(iptables_t)
>> +       unconfined_rw_pipes(iptables_t)
>>  ')
>>  
>>  optional_policy(`
>>     
>
> Merged this part.
>
>   
>> @@ -111,3 +112,7 @@
>>  optional_policy(`
>>         udev_read_db(iptables_t)
>>  ')
>> +
>> +optional_policy(`
>> +       fail2ban_append_log(iptables_t)
>> +')
>>
>>     
>
> But not this one since it doesn't seem relevant.
>
>   
fail2ban is redirecting output from iptables to it's log files.  Would 
you prefer dontaudit?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: system-config-service of iptables needs this patch to work in targeted policy
  2007-03-26 20:22   ` Daniel J Walsh
@ 2007-03-27 12:37     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2007-03-27 12:37 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Mon, 2007-03-26 at 16:22 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2007-03-08 at 09:46 -0500, Daniel J Walsh wrote:
> >   
> >> Basically iptables needs to be able to output to the terminal and
> >> talk 
> >> to unconfined_pipes from the tool.
> >>

> >> +
> >> +optional_policy(`
> >> +       fail2ban_append_log(iptables_t)
> >> +')
> >>
> >>     
> >
> > But not this one since it doesn't seem relevant.
> >
> >   
> fail2ban is redirecting output from iptables to it's log files.  Would 
> you prefer dontaudit?

I just didn't know what it was about since you didn't mention it in the
description.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-03-27 12:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-08 14:46 system-config-service of iptables needs this patch to work in targeted policy Daniel J Walsh
2007-03-26 19:43 ` Christopher J. PeBenito
2007-03-26 20:22   ` Daniel J Walsh
2007-03-27 12:37     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.