diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5c94dfe..68cd2d2 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
-
-#####################################
-##
-## Set the attributes of iptables config files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`iptables_setattr_config',`
- gen_require(`
- type iptables_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 iptables_conf_t:file setattr;
-')
-
-#####################################
-##
-## Read iptables config files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`iptables_read_config',`
- gen_require(`
- type iptables_conf_t;
- ')
-
- files_search_etc($1)
- allow $1 iptables_conf_t:dir list_dir_perms;
- read_files_pattern($1, iptables_conf_t, iptables_conf_t)
-')
-
-#####################################
-##
-## Create files in /etc with the type used for
-## the iptables config files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`iptables_etc_filetrans_config',`
- gen_require(`
- type iptables_conf_t;
- ')
-
- files_etc_filetrans($1, iptables_conf_t, file)
-')
-
-###################################
-##
-## Manage iptables config files.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`iptables_manage_config',`
- gen_require(`
- type iptables_conf_t;
- type etc_t;
- ')
-
- files_search_etc($1)
- manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
-')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index a3fdcb3..ab6679d 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
-type iptables_conf_t;
-files_config_file(iptables_conf_t)
-
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
@@ -31,10 +28,11 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_ra
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
-files_etc_filetrans(iptables_t, iptables_conf_t, file)
+files_manage_system_conf_files(iptables_t)
+files_etc_filetrans_system_conf(iptables_
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
@@ -52,6 +50,9 @@ kernel_read_kernel_sysctls(iptables_t)
kernel_read_modprobe_sysctls(iptables_t)
kernel_use_fds(iptables_t)
+corecmd_exec_bin(iptables_t)
+corecmd_exec_shell(iptables_t)
+
corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6..fd99a6e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,12 +1,19 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)