1iptables_selinux(8) SELinux Policy iptables iptables_selinux(8)
2
3
4
6 iptables_selinux - Security Enhanced Linux Policy for the iptables pro‐
7 cesses
8
10 Security-Enhanced Linux secures the iptables processes via flexible
11 mandatory access control.
12
13 The iptables processes execute with the iptables_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep iptables_t
20
21
22
24 The iptables_t SELinux type can be entered via the iptables_exec_t file
25 type.
26
27 The default entrypoint paths for the iptables_t domain are the follow‐
28 ing:
29
30 /sbin/ip6?tables.*, /sbin/ip6?tables-multi.*, /sbin/ip6?tables-
31 restore.*, /usr/sbin/ip6?tables.*, /usr/sbin/ip6?tables-multi.*,
32 /usr/sbin/ip6?tables-restore.*, /sbin/ipchains.*, /usr/sbin/ipchains.*,
33 /usr/libexec/iptables/iptables.init, /usr/libexec/ipta‐
34 bles/ip6tables.init, /sbin/nft, /sbin/ipset, /sbin/ipvsadm,
35 /usr/sbin/nft, /sbin/ebtables, /sbin/arptables, /usr/sbin/ipset,
36 /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /usr/libexec/ipset,
37 /usr/sbin/ebtables, /sbin/xtables-multi, /usr/sbin/arptables,
38 /usr/sbin/conntrack, /sbin/arptables-save, /sbin/ipvsadm-restore,
39 /sbin/ebtables-restore, /usr/sbin/ipvsadm-save, /sbin/arptables-
40 restore, /sbin/xtables-nft-multi, /usr/sbin/xtables-multi,
41 /usr/sbin/ipvsadm-restore, /sbin/xtables-legacy-multi, /usr/sbin/ebta‐
42 bles-restore, /usr/sbin/xtables-nft-multi, /usr/sbin/xtables-legacy-
43 multi
44
46 SELinux defines process types (domains) for each process running on the
47 system
48
49 You can see the context of a process using the -Z option to ps
50
51 Policy governs the access confined processes have to files. SELinux
52 iptables policy is very flexible allowing users to setup their iptables
53 processes in as secure a method as possible.
54
55 The following process types are defined for iptables:
56
57 iptables_t
58
59 Note: semanage permissive -a iptables_t can be used to make the process
60 type iptables_t permissive. SELinux does not deny access to permissive
61 process types, but the AVC (SELinux denials) messages are still gener‐
62 ated.
63
64
66 SELinux policy is customizable based on least access required. ipta‐
67 bles policy is extremely flexible and has several booleans that allow
68 you to manipulate the policy and run iptables with the tightest access
69 possible.
70
71
72
73 If you want to allow dhcpc client applications to execute iptables com‐
74 mands, you must turn on the dhcpc_exec_iptables boolean. Disabled by
75 default.
76
77 setsebool -P dhcpc_exec_iptables 1
78
79
80
81 If you want to allow all domains to execute in fips_mode, you must turn
82 on the fips_mode boolean. Enabled by default.
83
84 setsebool -P fips_mode 1
85
86
87
88 If you want to allow system to run with NIS, you must turn on the
89 nis_enabled boolean. Disabled by default.
90
91 setsebool -P nis_enabled 1
92
93
94
96 The SELinux process type iptables_t can manage files labeled with the
97 following file types. The paths listed are the default paths for these
98 file types. Note the processes UID still need to have DAC permissions.
99
100 iptables_lock_t
101
102 /var/lock/subsys/iptables
103 /var/lock/subsys/ip6tables
104
105 iptables_var_lib_t
106
107 /var/lib/ebtables(/.*)?
108
109 iptables_var_run_t
110
111 /var/run/xtables.*
112 /var/run/ebtables.*
113
114 psad_var_log_t
115
116 /var/log/psad(/.*)?
117
118 shorewall_var_lib_t
119
120 /var/lib/shorewall(/.*)?
121 /var/lib/shorewall6(/.*)?
122 /var/lib/shorewall-lite(/.*)?
123
124
126 SELinux requires files to have an extended attribute to define the file
127 type.
128
129 You can see the context of a file using the -Z option to ls
130
131 Policy governs the access confined processes have to these files.
132 SELinux iptables policy is very flexible allowing users to setup their
133 iptables processes in as secure a method as possible.
134
135 STANDARD FILE CONTEXT
136
137 SELinux defines the file context types for the iptables, if you wanted
138 to store files with these types in a diffent paths, you need to execute
139 the semanage command to sepecify alternate labeling and then use
140 restorecon to put the labels on disk.
141
142 semanage fcontext -a -t iptables_unit_file_t '/srv/myiptables_con‐
143 tent(/.*)?'
144 restorecon -R -v /srv/myiptables_content
145
146 Note: SELinux often uses regular expressions to specify labels that
147 match multiple files.
148
149 The following file types are defined for iptables:
150
151
152
153 iptables_exec_t
154
155 - Set files with the iptables_exec_t type, if you want to transition an
156 executable to the iptables_t domain.
157
158
159 Paths:
160 /sbin/ip6?tables.*, /sbin/ip6?tables-multi.*, /sbin/ip6?tables-
161 restore.*, /usr/sbin/ip6?tables.*, /usr/sbin/ip6?tables-multi.*,
162 /usr/sbin/ip6?tables-restore.*, /sbin/ipchains.*,
163 /usr/sbin/ipchains.*, /usr/libexec/iptables/iptables.init,
164 /usr/libexec/iptables/ip6tables.init, /sbin/nft, /sbin/ipset,
165 /sbin/ipvsadm, /usr/sbin/nft, /sbin/ebtables, /sbin/arptables,
166 /usr/sbin/ipset, /usr/sbin/ipvsadm, /sbin/ipvsadm-save,
167 /usr/libexec/ipset, /usr/sbin/ebtables, /sbin/xtables-multi,
168 /usr/sbin/arptables, /usr/sbin/conntrack, /sbin/arptables-save,
169 /sbin/ipvsadm-restore, /sbin/ebtables-restore, /usr/sbin/ipvsadm-
170 save, /sbin/arptables-restore, /sbin/xtables-nft-multi,
171 /usr/sbin/xtables-multi, /usr/sbin/ipvsadm-restore, /sbin/xtables-
172 legacy-multi, /usr/sbin/ebtables-restore, /usr/sbin/xtables-nft-
173 multi, /usr/sbin/xtables-legacy-multi
174
175
176 iptables_initrc_exec_t
177
178 - Set files with the iptables_initrc_exec_t type, if you want to tran‐
179 sition an executable to the iptables_initrc_t domain.
180
181
182 Paths:
183 /etc/rc.d/init.d/ip6?tables, /etc/rc.d/init.d/ebtables,
184 /etc/rc.d/init.d/nftables
185
186
187 iptables_lock_t
188
189 - Set files with the iptables_lock_t type, if you want to treat the
190 files as iptables lock data, stored under the /var/lock directory
191
192
193 Paths:
194 /var/lock/subsys/iptables, /var/lock/subsys/ip6tables
195
196
197 iptables_tmp_t
198
199 - Set files with the iptables_tmp_t type, if you want to store iptables
200 temporary files in the /tmp directories.
201
202
203
204 iptables_unit_file_t
205
206 - Set files with the iptables_unit_file_t type, if you want to treat
207 the files as iptables unit content.
208
209
210 Paths:
211 /usr/lib/systemd/system/ppp.*, /usr/lib/systemd/system/ipset.*,
212 /usr/lib/systemd/system/vsftpd.*, /usr/lib/systemd/sys‐
213 tem/proftpd.*, /usr/lib/systemd/system/iptables.*, /usr/lib/sys‐
214 temd/system/arptables.*, /usr/lib/systemd/system/ip6tables.*
215
216
217 iptables_var_lib_t
218
219 - Set files with the iptables_var_lib_t type, if you want to store the
220 iptables files under the /var/lib directory.
221
222
223
224 iptables_var_run_t
225
226 - Set files with the iptables_var_run_t type, if you want to store the
227 iptables files under the /run or /var/run directory.
228
229
230 Paths:
231 /var/run/xtables.*, /var/run/ebtables.*
232
233
234 Note: File context can be temporarily modified with the chcon command.
235 If you want to permanently change the file context you need to use the
236 semanage fcontext command. This will modify the SELinux labeling data‐
237 base. You will need to use restorecon to apply the labels.
238
239
241 semanage fcontext can also be used to manipulate default file context
242 mappings.
243
244 semanage permissive can also be used to manipulate whether or not a
245 process type is permissive.
246
247 semanage module can also be used to enable/disable/install/remove pol‐
248 icy modules.
249
250 semanage boolean can also be used to manipulate the booleans
251
252
253 system-config-selinux is a GUI tool available to customize SELinux pol‐
254 icy settings.
255
256
258 This manual page was auto-generated using sepolicy manpage .
259
260
262 selinux(8), iptables(8), semanage(8), restorecon(8), chcon(1), sepol‐
263 icy(8), setsebool(8)
264
265
266
267iptables 20-05-05 iptables_selinux(8)