[people/stevee/selinux-policy.git] / policy / modules / services / dhcp.te


policy_module(dhcp, 1.6.0)

########################################
#
# Declarations
#

type dhcpd_t;
type dhcpd_exec_t;
init_daemon_domain(dhcpd_t, dhcpd_exec_t)

type dhcpd_state_t;
files_type(dhcpd_state_t)

type dhcpd_tmp_t;
files_tmp_file(dhcpd_tmp_t)

type dhcpd_var_run_t;
files_pid_file(dhcpd_var_run_t)

########################################
#
# Local policy
#

allow dhcpd_t self:capability net_raw;
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr };
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
allow dhcpd_t self:tcp_socket create_stream_socket_perms;
allow dhcpd_t self:udp_socket create_socket_perms;
# Allow dhcpd_t to use packet sockets
allow dhcpd_t self:packet_socket create_socket_perms;
allow dhcpd_t self:rawip_socket create_socket_perms;

can_exec(dhcpd_t, dhcpd_exec_t)

manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)

manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })

manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)

kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)

corenet_all_recvfrom_unlabeled(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
corenet_raw_sendrecv_all_if(dhcpd_t)
corenet_tcp_sendrecv_all_nodes(dhcpd_t)
corenet_udp_sendrecv_all_nodes(dhcpd_t)
corenet_raw_sendrecv_all_nodes(dhcpd_t)
corenet_tcp_sendrecv_all_ports(dhcpd_t)
corenet_udp_sendrecv_all_ports(dhcpd_t)
corenet_tcp_bind_all_nodes(dhcpd_t)
corenet_udp_bind_all_nodes(dhcpd_t)
corenet_tcp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_pxe_port(dhcpd_t)
corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)

dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
dev_read_urand(dhcpd_t)

fs_getattr_all_fs(dhcpd_t)
fs_search_auto_mountpoints(dhcpd_t)

corecmd_exec_bin(dhcpd_t)

domain_use_interactive_fds(dhcpd_t)

files_read_etc_files(dhcpd_t)
files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)

libs_use_ld_so(dhcpd_t)
libs_use_shared_libs(dhcpd_t)

logging_send_syslog_msg(dhcpd_t)

miscfiles_read_localization(dhcpd_t)

sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)

userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)

sysadm_dontaudit_search_home_dirs(dhcpd_t)

ifdef(`distro_gentoo',`
	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')

optional_policy(`
	# used for dynamic DNS
	bind_read_dnssec_keys(dhcpd_t)
')

optional_policy(`
	dbus_system_bus_client_template(dhcpd, dhcpd_t)
	dbus_connect_system_bus(dhcpd_t)
')

optional_policy(`
	nis_use_ypbind(dhcpd_t)
')

optional_policy(`
	nscd_socket_use(dhcpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(dhcpd_t)
')

optional_policy(`
	udev_read_db(dhcpd_t)
')
Commit	Line	Data
7c8fc35b	1
cfcf5004	2	policy_module(dhcp, 1.6.0)
7c8fc35b CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dhcpd_t;
	10	type dhcpd_exec_t;
0bfccda4	11	init_daemon_domain(dhcpd_t, dhcpd_exec_t)
7c8fc35b CP	12
	13	type dhcpd_state_t;
	14	files_type(dhcpd_state_t)
	15
	16	type dhcpd_tmp_t;
	17	files_tmp_file(dhcpd_tmp_t)
	18
	19	type dhcpd_var_run_t;
	20	files_pid_file(dhcpd_var_run_t)
	21
	22	########################################
	23	#
	24	# Local policy
	25	#
	26
7b90f2db CP	27	allow dhcpd_t self:capability net_raw;
7b90f2db CP	28	dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
681c9a02	29	allow dhcpd_t self:process signal_perms;
7c8fc35b CP	30	allow dhcpd_t self:fifo_file { read write getattr };
	31	allow dhcpd_t self:unix_dgram_socket create_socket_perms;
	32	allow dhcpd_t self:unix_stream_socket create_socket_perms;
	33	allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
	34	allow dhcpd_t self:tcp_socket create_stream_socket_perms;
	35	allow dhcpd_t self:udp_socket create_socket_perms;
	36	# Allow dhcpd_t to use packet sockets
	37	allow dhcpd_t self:packet_socket create_socket_perms;
	38	allow dhcpd_t self:rawip_socket create_socket_perms;
	39
0bfccda4	40	can_exec(dhcpd_t, dhcpd_exec_t)
7c8fc35b	41
0bfccda4 CP	42	manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
0bfccda4 CP	43	sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
7c8fc35b	44
0bfccda4 CP	45	manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
0bfccda4 CP	46	manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
103fe280	47	files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
7c8fc35b	48
0bfccda4 CP	49	manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
0bfccda4 CP	50	files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
7c8fc35b CP	51
7c8fc35b CP	52	kernel_read_system_state(dhcpd_t)
445522dc	53	kernel_read_kernel_sysctls(dhcpd_t)
7c8fc35b	54
19006686 CP	55	corenet_all_recvfrom_unlabeled(dhcpd_t)
19006686 CP	56	corenet_all_recvfrom_netlabel(dhcpd_t)
7c8fc35b CP	57	corenet_tcp_sendrecv_all_if(dhcpd_t)
	58	corenet_udp_sendrecv_all_if(dhcpd_t)
	59	corenet_raw_sendrecv_all_if(dhcpd_t)
	60	corenet_tcp_sendrecv_all_nodes(dhcpd_t)
	61	corenet_udp_sendrecv_all_nodes(dhcpd_t)
	62	corenet_raw_sendrecv_all_nodes(dhcpd_t)
	63	corenet_tcp_sendrecv_all_ports(dhcpd_t)
	64	corenet_udp_sendrecv_all_ports(dhcpd_t)
	65	corenet_tcp_bind_all_nodes(dhcpd_t)
	66	corenet_udp_bind_all_nodes(dhcpd_t)
77f6e2cd	67	corenet_tcp_bind_dhcpd_port(dhcpd_t)
7c8fc35b CP	68	corenet_udp_bind_dhcpd_port(dhcpd_t)
7c8fc35b CP	69	corenet_udp_bind_pxe_port(dhcpd_t)
a0824843	70	corenet_tcp_connect_all_ports(dhcpd_t)
141cffdd CP	71	corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
	72	corenet_sendrecv_pxe_server_packets(dhcpd_t)
	73	corenet_sendrecv_all_client_packets(dhcpd_t)
7c8fc35b CP	74
	75	dev_read_sysfs(dhcpd_t)
	76	dev_read_rand(dhcpd_t)
	77	dev_read_urand(dhcpd_t)
	78
	79	fs_getattr_all_fs(dhcpd_t)
	80	fs_search_auto_mountpoints(dhcpd_t)
	81
7c8fc35b	82	corecmd_exec_bin(dhcpd_t)
7c8fc35b	83
15722ec9	84	domain_use_interactive_fds(dhcpd_t)
7c8fc35b CP	85
	86	files_read_etc_files(dhcpd_t)
	87	files_read_usr_files(dhcpd_t)
	88	files_read_etc_runtime_files(dhcpd_t)
	89	files_search_var_lib(dhcpd_t)
	90
7c8fc35b CP	91	libs_use_ld_so(dhcpd_t)
	92	libs_use_shared_libs(dhcpd_t)
	93
	94	logging_send_syslog_msg(dhcpd_t)
	95
	96	miscfiles_read_localization(dhcpd_t)
	97
	98	sysnet_read_config(dhcpd_t)
	99	sysnet_read_dhcp_config(dhcpd_t)
	100
15722ec9	101	userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
e9c6cda7 CP	102
e9c6cda7 CP	103	sysadm_dontaudit_search_home_dirs(dhcpd_t)
7c8fc35b CP	104
	105	ifdef(`distro_gentoo',`
	106	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
	107	')
	108
bb7170f6	109	optional_policy(`
7c8fc35b CP	110	# used for dynamic DNS
	111	bind_read_dnssec_keys(dhcpd_t)
	112	')
	113
8708d9be	114	optional_policy(`
0bfccda4	115	dbus_system_bus_client_template(dhcpd, dhcpd_t)
8708d9be	116	dbus_connect_system_bus(dhcpd_t)
8708d9be CP	117	')
8708d9be CP	118
bb7170f6	119	optional_policy(`
7c8fc35b CP	120	nis_use_ypbind(dhcpd_t)
	121	')
	122
bb7170f6	123	optional_policy(`
1815bad1	124	nscd_socket_use(dhcpd_t)
a0824843 CP	125	')
a0824843 CP	126
bb7170f6	127	optional_policy(`
7c8fc35b CP	128	seutil_sigchld_newrole(dhcpd_t)
	129	')
	130
bb7170f6	131	optional_policy(`
7c8fc35b CP	132	udev_read_db(dhcpd_t)
7c8fc35b CP	133	')