commit: d935f927cd34c1a91d3a8f3c9278baeeef852320 Author: Kenton Groombridge <concord <AT> gentoo <DOT> org> AuthorDate: Wed Jan 27 01:02:21 2021 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Sat Sep 3 20:04:08 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d935f927
iptables: add file context for saved rules Bug: https://bugs.gentoo.org/840230 Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/system/init.fc | 1 - policy/modules/system/iptables.fc | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index fe661d5d..4a7c0e00 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -82,7 +82,6 @@ ifdef(`distro_debian',` ifdef(`distro_gentoo', ` /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) -/var/lib/ip6?tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0) /run/openrc(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) /run/svscan\.pid -- gen_context(system_u:object_r:initrc_runtime_t,s0) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc index ba65e811..6157f313 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -45,3 +45,8 @@ /usr/sbin/xtables-legacy-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/xtables-nft-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + +ifdef(`distro_gentoo', ` +/var/lib/ip6?tables(/.*)? gen_context(system_u:object_r:iptables_conf_t,s0) +/var/lib/nftables(/.*)? gen_context(system_u:object_r:iptables_conf_t,s0) +')
