]>
Commit | Line | Data |
---|---|---|
7c8fc35b | 1 | |
29af4c13 | 2 | policy_module(dhcp, 1.9.0) |
7c8fc35b CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dhcpd_t; | |
10 | type dhcpd_exec_t; | |
0bfccda4 | 11 | init_daemon_domain(dhcpd_t, dhcpd_exec_t) |
7c8fc35b | 12 | |
659c8650 CP |
13 | type dhcpd_initrc_exec_t; |
14 | init_script_file(dhcpd_initrc_exec_t) | |
15 | ||
7c8fc35b CP |
16 | type dhcpd_state_t; |
17 | files_type(dhcpd_state_t) | |
18 | ||
19 | type dhcpd_tmp_t; | |
20 | files_tmp_file(dhcpd_tmp_t) | |
21 | ||
22 | type dhcpd_var_run_t; | |
23 | files_pid_file(dhcpd_var_run_t) | |
24 | ||
25 | ######################################## | |
26 | # | |
27 | # Local policy | |
28 | # | |
29 | ||
659c8650 | 30 | allow dhcpd_t self:capability { net_raw sys_resource }; |
7b90f2db | 31 | dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; |
681c9a02 | 32 | allow dhcpd_t self:process signal_perms; |
0b36a214 | 33 | allow dhcpd_t self:fifo_file rw_fifo_file_perms; |
7c8fc35b CP |
34 | allow dhcpd_t self:unix_dgram_socket create_socket_perms; |
35 | allow dhcpd_t self:unix_stream_socket create_socket_perms; | |
7c8fc35b CP |
36 | allow dhcpd_t self:tcp_socket create_stream_socket_perms; |
37 | allow dhcpd_t self:udp_socket create_socket_perms; | |
38 | # Allow dhcpd_t to use packet sockets | |
39 | allow dhcpd_t self:packet_socket create_socket_perms; | |
40 | allow dhcpd_t self:rawip_socket create_socket_perms; | |
41 | ||
0bfccda4 | 42 | can_exec(dhcpd_t, dhcpd_exec_t) |
7c8fc35b | 43 | |
0bfccda4 CP |
44 | manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) |
45 | sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) | |
7c8fc35b | 46 | |
0bfccda4 CP |
47 | manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) |
48 | manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) | |
103fe280 | 49 | files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) |
7c8fc35b | 50 | |
0bfccda4 CP |
51 | manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) |
52 | files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) | |
7c8fc35b CP |
53 | |
54 | kernel_read_system_state(dhcpd_t) | |
445522dc | 55 | kernel_read_kernel_sysctls(dhcpd_t) |
659c8650 | 56 | kernel_read_network_state(dhcpd_t) |
7c8fc35b | 57 | |
19006686 CP |
58 | corenet_all_recvfrom_unlabeled(dhcpd_t) |
59 | corenet_all_recvfrom_netlabel(dhcpd_t) | |
668b3093 CP |
60 | corenet_tcp_sendrecv_generic_if(dhcpd_t) |
61 | corenet_udp_sendrecv_generic_if(dhcpd_t) | |
62 | corenet_raw_sendrecv_generic_if(dhcpd_t) | |
c1262146 CP |
63 | corenet_tcp_sendrecv_generic_node(dhcpd_t) |
64 | corenet_udp_sendrecv_generic_node(dhcpd_t) | |
65 | corenet_raw_sendrecv_generic_node(dhcpd_t) | |
7c8fc35b CP |
66 | corenet_tcp_sendrecv_all_ports(dhcpd_t) |
67 | corenet_udp_sendrecv_all_ports(dhcpd_t) | |
c1262146 CP |
68 | corenet_tcp_bind_generic_node(dhcpd_t) |
69 | corenet_udp_bind_generic_node(dhcpd_t) | |
77f6e2cd | 70 | corenet_tcp_bind_dhcpd_port(dhcpd_t) |
7c8fc35b CP |
71 | corenet_udp_bind_dhcpd_port(dhcpd_t) |
72 | corenet_udp_bind_pxe_port(dhcpd_t) | |
a0824843 | 73 | corenet_tcp_connect_all_ports(dhcpd_t) |
141cffdd CP |
74 | corenet_sendrecv_dhcpd_server_packets(dhcpd_t) |
75 | corenet_sendrecv_pxe_server_packets(dhcpd_t) | |
76 | corenet_sendrecv_all_client_packets(dhcpd_t) | |
7c8fc35b CP |
77 | |
78 | dev_read_sysfs(dhcpd_t) | |
79 | dev_read_rand(dhcpd_t) | |
80 | dev_read_urand(dhcpd_t) | |
81 | ||
82 | fs_getattr_all_fs(dhcpd_t) | |
83 | fs_search_auto_mountpoints(dhcpd_t) | |
84 | ||
7c8fc35b | 85 | corecmd_exec_bin(dhcpd_t) |
7c8fc35b | 86 | |
15722ec9 | 87 | domain_use_interactive_fds(dhcpd_t) |
7c8fc35b CP |
88 | |
89 | files_read_etc_files(dhcpd_t) | |
90 | files_read_usr_files(dhcpd_t) | |
91 | files_read_etc_runtime_files(dhcpd_t) | |
92 | files_search_var_lib(dhcpd_t) | |
93 | ||
659c8650 CP |
94 | auth_use_nsswitch(dhcpd_t) |
95 | ||
7c8fc35b CP |
96 | logging_send_syslog_msg(dhcpd_t) |
97 | ||
98 | miscfiles_read_localization(dhcpd_t) | |
99 | ||
7c8fc35b CP |
100 | sysnet_read_dhcp_config(dhcpd_t) |
101 | ||
15722ec9 | 102 | userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) |
296273a7 | 103 | userdom_dontaudit_search_user_home_dirs(dhcpd_t) |
7c8fc35b CP |
104 | |
105 | ifdef(`distro_gentoo',` | |
106 | allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; | |
107 | ') | |
108 | ||
bb7170f6 | 109 | optional_policy(` |
7c8fc35b CP |
110 | # used for dynamic DNS |
111 | bind_read_dnssec_keys(dhcpd_t) | |
112 | ') | |
113 | ||
8708d9be | 114 | optional_policy(` |
296273a7 | 115 | dbus_system_bus_client(dhcpd_t) |
8708d9be | 116 | dbus_connect_system_bus(dhcpd_t) |
8708d9be CP |
117 | ') |
118 | ||
bb7170f6 | 119 | optional_policy(` |
7c8fc35b CP |
120 | seutil_sigchld_newrole(dhcpd_t) |
121 | ') | |
122 | ||
bb7170f6 | 123 | optional_policy(` |
7c8fc35b CP |
124 | udev_read_db(dhcpd_t) |
125 | ') |