[people/stevee/selinux-policy.git] / policy / modules / services / dhcp.te


policy_module(dhcp, 1.9.0)

########################################
#
# Declarations
#

type dhcpd_t;
type dhcpd_exec_t;
init_daemon_domain(dhcpd_t, dhcpd_exec_t)

type dhcpd_initrc_exec_t;
init_script_file(dhcpd_initrc_exec_t)

type dhcpd_state_t;
files_type(dhcpd_state_t)

type dhcpd_tmp_t;
files_tmp_file(dhcpd_tmp_t)

type dhcpd_var_run_t;
files_pid_file(dhcpd_var_run_t)

########################################
#
# Local policy
#

allow dhcpd_t self:capability { net_raw sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:tcp_socket create_stream_socket_perms;
allow dhcpd_t self:udp_socket create_socket_perms;
# Allow dhcpd_t to use packet sockets
allow dhcpd_t self:packet_socket create_socket_perms;
allow dhcpd_t self:rawip_socket create_socket_perms;

can_exec(dhcpd_t, dhcpd_exec_t)

manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)

manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })

manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)

kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
kernel_read_network_state(dhcpd_t)

corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_generic_if(dhcpd_t)
corenet_udp_sendrecv_generic_if(dhcpd_t)
corenet_raw_sendrecv_generic_if(dhcpd_t)
corenet_tcp_sendrecv_generic_node(dhcpd_t)
corenet_udp_sendrecv_generic_node(dhcpd_t)
corenet_raw_sendrecv_generic_node(dhcpd_t)
corenet_tcp_sendrecv_all_ports(dhcpd_t)
corenet_udp_sendrecv_all_ports(dhcpd_t)
corenet_tcp_bind_generic_node(dhcpd_t)
corenet_udp_bind_generic_node(dhcpd_t)
corenet_tcp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_pxe_port(dhcpd_t)
corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)

dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
dev_read_urand(dhcpd_t)

fs_getattr_all_fs(dhcpd_t)
fs_search_auto_mountpoints(dhcpd_t)

corecmd_exec_bin(dhcpd_t)

domain_use_interactive_fds(dhcpd_t)

files_read_etc_files(dhcpd_t)
files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)

auth_use_nsswitch(dhcpd_t)

logging_send_syslog_msg(dhcpd_t)

miscfiles_read_localization(dhcpd_t)

sysnet_read_dhcp_config(dhcpd_t)

userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
userdom_dontaudit_search_user_home_dirs(dhcpd_t)

ifdef(`distro_gentoo',`
	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')

optional_policy(`
	# used for dynamic DNS
	bind_read_dnssec_keys(dhcpd_t)
')

optional_policy(`
	dbus_system_bus_client(dhcpd_t)
	dbus_connect_system_bus(dhcpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(dhcpd_t)
')

optional_policy(`
	udev_read_db(dhcpd_t)
')
Commit	Line	Data
7c8fc35b	1
29af4c13	2	policy_module(dhcp, 1.9.0)
7c8fc35b CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dhcpd_t;
	10	type dhcpd_exec_t;
0bfccda4	11	init_daemon_domain(dhcpd_t, dhcpd_exec_t)
7c8fc35b	12
659c8650 CP	13	type dhcpd_initrc_exec_t;
	14	init_script_file(dhcpd_initrc_exec_t)
	15
7c8fc35b CP	16	type dhcpd_state_t;
	17	files_type(dhcpd_state_t)
	18
	19	type dhcpd_tmp_t;
	20	files_tmp_file(dhcpd_tmp_t)
	21
	22	type dhcpd_var_run_t;
	23	files_pid_file(dhcpd_var_run_t)
	24
	25	########################################
	26	#
	27	# Local policy
	28	#
	29
659c8650	30	allow dhcpd_t self:capability { net_raw sys_resource };
7b90f2db	31	dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
681c9a02	32	allow dhcpd_t self:process signal_perms;
0b36a214	33	allow dhcpd_t self:fifo_file rw_fifo_file_perms;
7c8fc35b CP	34	allow dhcpd_t self:unix_dgram_socket create_socket_perms;
7c8fc35b CP	35	allow dhcpd_t self:unix_stream_socket create_socket_perms;
7c8fc35b CP	36	allow dhcpd_t self:tcp_socket create_stream_socket_perms;
	37	allow dhcpd_t self:udp_socket create_socket_perms;
	38	# Allow dhcpd_t to use packet sockets
	39	allow dhcpd_t self:packet_socket create_socket_perms;
	40	allow dhcpd_t self:rawip_socket create_socket_perms;
	41
0bfccda4	42	can_exec(dhcpd_t, dhcpd_exec_t)
7c8fc35b	43
0bfccda4 CP	44	manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
0bfccda4 CP	45	sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
7c8fc35b	46
0bfccda4 CP	47	manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
0bfccda4 CP	48	manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
103fe280	49	files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
7c8fc35b	50
0bfccda4 CP	51	manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
0bfccda4 CP	52	files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
7c8fc35b CP	53
7c8fc35b CP	54	kernel_read_system_state(dhcpd_t)
445522dc	55	kernel_read_kernel_sysctls(dhcpd_t)
659c8650	56	kernel_read_network_state(dhcpd_t)
7c8fc35b	57
19006686 CP	58	corenet_all_recvfrom_unlabeled(dhcpd_t)
19006686 CP	59	corenet_all_recvfrom_netlabel(dhcpd_t)
668b3093 CP	60	corenet_tcp_sendrecv_generic_if(dhcpd_t)
	61	corenet_udp_sendrecv_generic_if(dhcpd_t)
	62	corenet_raw_sendrecv_generic_if(dhcpd_t)
c1262146 CP	63	corenet_tcp_sendrecv_generic_node(dhcpd_t)
	64	corenet_udp_sendrecv_generic_node(dhcpd_t)
	65	corenet_raw_sendrecv_generic_node(dhcpd_t)
7c8fc35b CP	66	corenet_tcp_sendrecv_all_ports(dhcpd_t)
7c8fc35b CP	67	corenet_udp_sendrecv_all_ports(dhcpd_t)
c1262146 CP	68	corenet_tcp_bind_generic_node(dhcpd_t)
c1262146 CP	69	corenet_udp_bind_generic_node(dhcpd_t)
77f6e2cd	70	corenet_tcp_bind_dhcpd_port(dhcpd_t)
7c8fc35b CP	71	corenet_udp_bind_dhcpd_port(dhcpd_t)
7c8fc35b CP	72	corenet_udp_bind_pxe_port(dhcpd_t)
a0824843	73	corenet_tcp_connect_all_ports(dhcpd_t)
141cffdd CP	74	corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
	75	corenet_sendrecv_pxe_server_packets(dhcpd_t)
	76	corenet_sendrecv_all_client_packets(dhcpd_t)
7c8fc35b CP	77
	78	dev_read_sysfs(dhcpd_t)
	79	dev_read_rand(dhcpd_t)
	80	dev_read_urand(dhcpd_t)
	81
	82	fs_getattr_all_fs(dhcpd_t)
	83	fs_search_auto_mountpoints(dhcpd_t)
	84
7c8fc35b	85	corecmd_exec_bin(dhcpd_t)
7c8fc35b	86
15722ec9	87	domain_use_interactive_fds(dhcpd_t)
7c8fc35b CP	88
	89	files_read_etc_files(dhcpd_t)
	90	files_read_usr_files(dhcpd_t)
	91	files_read_etc_runtime_files(dhcpd_t)
	92	files_search_var_lib(dhcpd_t)
	93
659c8650 CP	94	auth_use_nsswitch(dhcpd_t)
659c8650 CP	95
7c8fc35b CP	96	logging_send_syslog_msg(dhcpd_t)
	97
	98	miscfiles_read_localization(dhcpd_t)
	99
7c8fc35b CP	100	sysnet_read_dhcp_config(dhcpd_t)
7c8fc35b CP	101
15722ec9	102	userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
296273a7	103	userdom_dontaudit_search_user_home_dirs(dhcpd_t)
7c8fc35b CP	104
	105	ifdef(`distro_gentoo',`
	106	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
	107	')
	108
bb7170f6	109	optional_policy(`
7c8fc35b CP	110	# used for dynamic DNS
	111	bind_read_dnssec_keys(dhcpd_t)
	112	')
	113
8708d9be	114	optional_policy(`
296273a7	115	dbus_system_bus_client(dhcpd_t)
8708d9be	116	dbus_connect_system_bus(dhcpd_t)
8708d9be CP	117	')
8708d9be CP	118
bb7170f6	119	optional_policy(`
7c8fc35b CP	120	seutil_sigchld_newrole(dhcpd_t)
	121	')
	122
bb7170f6	123	optional_policy(`
7c8fc35b CP	124	udev_read_db(dhcpd_t)
7c8fc35b CP	125	')