Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/system/iptables.te
Commit message (Collapse)AuthorAgeFilesLines
* various: rules required for DV manipulation in kubevirtKenton Groombridge2024-09-211-0/+5
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables: allow reading container engine tmp filesKenton Groombridge2024-09-211-2/+3
| | | | | | | | When multus creates a new network, iptables rules get written to /tmp and iptables will be called to load them. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables: allow reading usr filesKenton Groombridge2024-09-211-0/+1
| | | | | | | The nftables program reads files in /usr/share/iproute2. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Reorder perms and classesfreedom1b28302024-09-211-1/+1
| | | | | Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: fixes for kubernetesKenton Groombridge2022-12-131-0/+1
| | | | | Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* iptables: Ioctl cgroup dirs.Chris PeBenito2022-09-031-0/+1
| | | | | | | | | avc: denied { ioctl } for pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Make hide_broken_symptoms unconditional.Chris PeBenito2022-03-301-3/+2
| | | | | | | These blocks are always enabled. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container, iptables: dontaudit iptables rw on /ptmxKenton Groombridge2022-01-291-0/+5
| | | | | Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: various userns capability permissionsKenton Groombridge2022-01-291-0/+1
| | | | | Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Drop module versioning.Chris PeBenito2022-01-291-1/+1
| | | | | | | | | Semodule stopped using this many years ago. The policy_module() macro will continue to support an optional second parameter as version. If it is not specified, a default value of 1 is set. Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables.te: Added init_read_script_pipes().Jonathan Davies2021-11-111-0/+1
| | | | | | Closes: https://github.com/perfinion/hardened-refpolicy/pull/22 Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Bump module versions for release.Chris PeBenito2021-10-311-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: Module version bump.Chris PeBenito2021-09-051-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables: allow reading initrc pipesKenton Groombridge2021-09-051-0/+1
| | | | | | | | The systemd service calls a script which reads the saved rules from a file piped to stdin. Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Bump module versions for release.Chris PeBenito2021-02-061-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: Module version bump.Chris PeBenito2021-01-311-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Remove modules for programs that are deprecated or no longer supported.Chris PeBenito2021-01-311-4/+0
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: Module version bump.Chris PeBenito2021-01-311-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* udev: Drop udev_tbl_t.Chris PeBenito2021-01-311-1/+0
| | | | | | | | | | | | | This usage under /dev/.udev has been unused for a very long time and replaced by functionality in /run/udev. Since these have separate types, take this opportunity to revoke these likely unnecessary rules. Fixes #221 Derived from Laurent Bigonville's work in #230 Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Bump module versions for release.Chris PeBenito2020-10-111-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Fix several misspellingsChristian Göttsche2020-10-111-1/+1
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* various: Module version bump.Chris PeBenito2020-08-091-1/+1
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Update callers for "pid" to "runtime" interface rename.Chris PeBenito2020-08-091-3/+3
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Bump module versions for release.Chris PeBenito2019-02-101-1/+1
| | | | Signed-off-by: Jason Zaman <jason@perfinion.com>
* various: Module name bump.Chris PeBenito2019-02-101-1/+1
| | | | Signed-off-by: Jason Zaman <jason@perfinion.com>
* iptables: Module version bump.Chris PeBenito2019-02-101-1/+1
| | | | Signed-off-by: Jason Zaman <jason@perfinion.com>
* mozilla, devices, selinux, xserver, init, iptables: Module version bump.Chris PeBenito2018-07-111-1/+1
|
* Bump module versions for release.Chris PeBenito2018-07-021-1/+1
|
* iptables: Module version bump.Chris PeBenito2018-03-251-1/+1
|
* xtables-multi wants to getattr of the proc fsMiroslav Grepl2018-03-251-0/+1
|
* Bump module versions for release.Chris PeBenito2017-09-091-1/+1
|
* Module version bump for patches from cgzones.Chris PeBenito2017-06-131-1/+1
|
* iptables: updatecgzones2017-06-131-15/+7
| | | | | v2: - do not remove interfaces superseded by auth_use_nsswitch()
* Module version bump for /usr/bin fc fixes from Nicolas Iooss.Chris PeBenito2017-05-071-1/+1
|
* kmod, lvm, brctl patches from Russell CokerChris PeBenito2017-04-301-1/+1
| | | | | | | | | | Patches for modutils, at least one of which is needed to generate an initramfs on Debian. Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts etc. Patch for brctl to allow it to create sysfs files.
* Module version bumps for fixes from cgzones.Chris PeBenito2017-03-301-1/+1
|
* modutils: adopt callers to new interfacescgzones2017-03-301-1/+1
|
* Network daemon patches from Russell Coker.Chris PeBenito2017-02-271-1/+3
|
* Sort capabilities permissions from Russell Coker.Chris PeBenito2017-02-171-1/+1
|
* Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.Chris PeBenito2017-02-051-1/+1
|
* Bump module versions for release.Chris PeBenito2017-02-051-1/+1
|
* Module version bump for fc updates from Nicolas Iooss.Chris PeBenito2017-01-021-1/+1
|
* Module version bumps for /run fc changes from cgzones.Chris PeBenito2017-01-021-1/+1
|
* Bump module versions for release.Chris PeBenito2016-10-241-1/+1
|
* Module version bump for nftables fc entry from Jason Zaman.Chris PeBenito2016-06-021-1/+1
|
* Module version bump for iptables/firewalld patch from Laurent Bigonville.Chris PeBenito2016-03-121-1/+1
|
* Allow {eb,ip,ip6}tables-restore to read files in /run/firewalldLaurent Bigonville2016-03-121-0/+1
| | | | | Since version 0.4.0, firewalld uses *tables-restore to speedup the load of the rules
* Module version bump for iptables fc entries from Laurent Bigonville and ↵Chris PeBenito2016-02-121-1/+1
| | | | Lukas Vrabec.
* Module version bump for ipset fc entry from Laurent Bigonville.Chris PeBenito2016-02-121-1/+1
|
* Bump module versions for release.Chris PeBenito2015-12-171-1/+1
|