From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-510561-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 76A4D138010
	for <garchives@archives.gentoo.org>; Tue,  2 Oct 2012 18:23:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3BBDB21C007;
	Tue,  2 Oct 2012 18:11:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id E927A21C016
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:12 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4C23733D751
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:03 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id CF20AE5453
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:00 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349201163.126f937fbf4b9c5dc0a11d3fa5bddae6d8049851.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: firewalld.fc firewalld.if firewalld.te
X-VCS-Directories: /
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 126f937fbf4b9c5dc0a11d3fa5bddae6d8049851
X-VCS-Branch: master
Date: Tue,  2 Oct 2012 18:11:00 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 79919214-7399-4b1d-9903-7573911139a4
X-Archives-Hash: 4b63b8e4d83de7d0bb40dcc58775a2d4

commit:     126f937fbf4b9c5dc0a11d3fa5bddae6d8049851
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct  1 08:26:16 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct  2 18:06:03 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=126f937f

Initial firewalld policy module

FirewallD is a service daemon with a D-BUS interface that provides a
dynamic managed firewall.

Ported from Fedora

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 firewalld.fc |   10 +++++++
 firewalld.if |   43 +++++++++++++++++++++++++++++
 firewalld.te |   85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 138 insertions(+), 0 deletions(-)

diff --git a/firewalld.fc b/firewalld.fc
new file mode 100644
index 0000000..21d7b84
--- /dev/null
+++ b/firewalld.fc
@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
+
+/etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
+
+/usr/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)
+
+/var/log/firewalld.*	--	gen_context(system_u:object_r:firewalld_var_log_t,s0)
+
+/var/run/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_var_run_t,s0)
+/var/run/firewalld\.pid	--	gen_context(system_u:object_r:firewalld_var_run_t,s0)

diff --git a/firewalld.if b/firewalld.if
new file mode 100644
index 0000000..82a225a
--- /dev/null
+++ b/firewalld.if
@@ -0,0 +1,43 @@
+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an firewalld environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`firewalld_admin',`
+	gen_require(`
+		type firewalld_t, firewalld_initrc_exec_t;
+		type firewall_etc_rw_t, firewalld_var_run_t;
+		type firewalld_var_log_t;
+	')
+
+	allow $1 firewalld_t:process { ptrace signal_perms };
+	ps_process_pattern($1, firewalld_t)
+
+	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 firewalld_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_pids($1)
+	admin_pattern($1, firewalld_var_run_t)
+	
+	logging_search_logs($1)
+	admin_pattern($1, firewalld_var_log_t)
+
+	files_search_etc($1)
+	admin_pattern($1, firewall_etc_rw_t)
+')

diff --git a/firewalld.te b/firewalld.te
new file mode 100644
index 0000000..0010122
--- /dev/null
+++ b/firewalld.te
@@ -0,0 +1,85 @@
+policy_module(firewalld, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewalld_t;
+type firewalld_exec_t;
+init_daemon_domain(firewalld_t, firewalld_exec_t)
+
+type firewalld_initrc_exec_t;
+init_script_file(firewalld_initrc_exec_t)
+
+type firewalld_etc_rw_t;
+files_config_file(firewalld_etc_rw_t)
+
+type firewalld_var_log_t;
+logging_log_file(firewalld_var_log_t)
+
+type firewalld_var_run_t;
+files_pid_file(firewalld_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit firewalld_t self:capability sys_tty_config;
+allow firewalld_t self:fifo_file rw_fifo_file_perms;
+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+
+allow firewalld_t firewalld_var_log_t:file append_file_perms;
+allow firewalld_t firewalld_var_log_t:file create_file_perms;
+allow firewalld_t firewalld_var_log_t:file read_file_perms;
+allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+
+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
+
+kernel_read_network_state(firewalld_t)
+kernel_read_system_state(firewalld_t)
+
+corecmd_exec_bin(firewalld_t)
+corecmd_exec_shell(firewalld_t)
+
+dev_read_urand(firewalld_t)
+
+domain_use_interactive_fds(firewalld_t)
+
+files_read_etc_files(firewalld_t)
+files_read_usr_files(firewalld_t)
+
+fs_getattr_xattr_fs(firewalld_t)
+
+logging_send_syslog_msg(firewalld_t)
+
+miscfiles_read_localization(firewalld_t)
+
+seutil_exec_setfiles(firewalld_t)
+seutil_read_file_contexts(firewalld_t)
+
+optional_policy(`
+	dbus_system_domain(firewalld_t, firewalld_exec_t)
+
+	optional_policy(`
+		policykit_dbus_chat(firewalld_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(firewalld_t)
+	')
+')
+
+optional_policy(`
+	iptables_domtrans(firewalld_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(firewalld_t)
+')