Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/firewalld.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/firewalld.if')
-rw-r--r--policy/modules/services/firewalld.if118
1 files changed, 118 insertions, 0 deletions
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
new file mode 100644
index 000000000..b4fda82cb
--- /dev/null
+++ b/policy/modules/services/firewalld.if
@@ -0,0 +1,118 @@
+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
+
+########################################
+## <summary>
+## Read firewalld configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_read_config_files',`
+ gen_require(`
+ type firewalld_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## firewalld over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_dbus_chat',`
+ gen_require(`
+ type firewalld_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 firewalld_t:dbus send_msg;
+ allow firewalld_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read, snd
+## write firewalld temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firewalld_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type firewalld_tmp_t;
+ ')
+
+ dontaudit $1 firewalld_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+## Read firewalld runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewalld_read_var_run_files',`
+ gen_require(`
+ type firewalld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, firewalld_var_run_t, firewalld_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an firewalld environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`firewalld_admin',`
+ gen_require(`
+ type firewalld_t, firewalld_initrc_exec_t;
+ type firewalld_etc_rw_t, firewalld_var_run_t;
+ type firewalld_var_log_t;
+ ')
+
+ allow $1 firewalld_t:process { ptrace signal_perms };
+ ps_process_pattern($1, firewalld_t)
+
+ init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
+
+ files_search_pids($1)
+ admin_pattern($1, firewalld_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, firewalld_var_log_t)
+
+ files_search_etc($1)
+ admin_pattern($1, firewalld_etc_rw_t)
+')