add shorewall from dan.

6 files changed, 230 insertions, 3 deletions

diff --git a/Changelog b/Changelog
index 51dceb7e..e0331c3a 100644
--- a/Changelog
+++ b/Changelog
@@ -11,6 +11,7 @@
 - Added modules:
 	hddtemp (Dan Walsh)
 	kdump (Dan Walsh)
+	shorewall (Dan Walsh)
 
 * Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
 - Gentoo fixes for init scripts and system startup.
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
new file mode 100644
index 00000000..288ece1f
--- /dev/null
+++ b/policy/modules/admin/shorewall.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/shorewall		--	gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite	--	gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)?				gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall				--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
new file mode 100644
index 00000000..1d3badea
--- /dev/null
+++ b/policy/modules/admin/shorewall.if
@@ -0,0 +1,124 @@
+## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans',`
+	gen_require(`
+		type shorewall_t, shorewall_exec_t;
+	')
+
+	domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+#######################################
+## <summary>
+##	Read shorewall etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_read_config',`
+	gen_require(`
+		type shorewall_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+## <summary>
+##	Read shorewall PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_read_pid_files',`
+	gen_require(`
+		type shorewall_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+##	Read and write shorewall PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shorewall_rw_pid_files',`
+	gen_require(`
+		type shorewall_var_run_t;
+	')
+
+	files_search_pids($1)
+	rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an shorewall environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`shorewall_admin',`
+	gen_require(`
+		type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
+		type shorewall_initrc_exec_t, shorewall_var_lib_t;
+		type shorewall_tmp_t;
+	')
+
+	allow $1 shorewall_t:process { ptrace signal_perms };
+	ps_process_pattern($1, shorewall_t)
+
+	init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 shorewall_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, shorewall_etc_t)
+
+	files_search_locks($1)
+	admin_pattern($1, shorewall_lock_t)
+
+	files_search_pids($1)
+	admin_pattern($1, shorewall_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, shorewall_var_lib_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, shorewall_tmp_t)
+')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
new file mode 100644
index 00000000..1ad6de74
--- /dev/null
+++ b/policy/modules/admin/shorewall.te
@@ -0,0 +1,93 @@
+
+policy_module(shorewall, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_daemon_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+
+manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+
+optional_policy(`
+	iptables_domtrans(shorewall_t)
+')
+
+optional_policy(`
+	modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+	ulogd_search_log(shorewall_t)
+')
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index cc04d8d8..ac6c7899 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -5,5 +5,3 @@
 /usr/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/var/lib/shorewall(/.*)? --	gen_context(system_u:object_r:iptables_var_run_t,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 79a89e85..b70500e4 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,5 +1,5 @@
 
-policy_module(iptables, 1.9.0)
+policy_module(iptables, 1.9.1)
 
 ########################################
 #