[people/stevee/selinux-policy.git] / policy / modules / services / dnsmasq.te


policy_module(dnsmasq, 1.9.0)

########################################
#
# Declarations
#

type dnsmasq_t;
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)

type dnsmasq_initrc_exec_t;
init_script_file(dnsmasq_initrc_exec_t)

type dnsmasq_etc_t;
files_config_file(dnsmasq_etc_t)

type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)

type dnsmasq_var_log_t;
logging_log_file(dnsmasq_var_log_t)

type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)

########################################
#
# Local policy
#

allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;

read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)

# dhcp leases
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)

manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)

manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)

kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)

corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
corenet_tcp_sendrecv_generic_node(dnsmasq_t)
corenet_udp_sendrecv_generic_node(dnsmasq_t)
corenet_raw_sendrecv_generic_node(dnsmasq_t)
corenet_tcp_sendrecv_all_ports(dnsmasq_t)
corenet_udp_sendrecv_all_ports(dnsmasq_t)
corenet_tcp_bind_generic_node(dnsmasq_t)
corenet_udp_bind_generic_node(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_all_ports(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)

dev_read_sysfs(dnsmasq_t)
dev_read_urand(dnsmasq_t)

domain_use_interactive_fds(dnsmasq_t)

files_read_etc_files(dnsmasq_t)
files_read_etc_runtime_files(dnsmasq_t)

fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)

auth_use_nsswitch(dnsmasq_t)

logging_send_syslog_msg(dnsmasq_t)

miscfiles_read_localization(dnsmasq_t)

userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)

optional_policy(`
	cobbler_read_lib_files(dnsmasq_t)
')

optional_policy(`
	dbus_system_bus_client(dnsmasq_t)
')

optional_policy(`
	seutil_sigchld_newrole(dnsmasq_t)
')

optional_policy(`
	tftp_read_content(dnsmasq_t)
')

optional_policy(`
	udev_read_db(dnsmasq_t)
')

optional_policy(`
	virt_manage_lib_files(dnsmasq_t)
	virt_read_pid_files(dnsmasq_t)
')
Commit	Line	Data
9e725d8a	1
29af4c13	2	policy_module(dnsmasq, 1.9.0)
9e725d8a CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dnsmasq_t;
	10	type dnsmasq_exec_t;
0bfccda4	11	init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
9e725d8a	12
01e9e7db CP	13	type dnsmasq_initrc_exec_t;
	14	init_script_file(dnsmasq_initrc_exec_t)
	15
1031ee6f DG	16	type dnsmasq_etc_t;
	17	files_config_file(dnsmasq_etc_t)
	18
9e725d8a CP	19	type dnsmasq_lease_t;
	20	files_type(dnsmasq_lease_t)
	21
37194ac0 JS	22	type dnsmasq_var_log_t;
	23	logging_log_file(dnsmasq_var_log_t)
	24
9e725d8a CP	25	type dnsmasq_var_run_t;
	26	files_pid_file(dnsmasq_var_run_t)
	27
	28	########################################
	29	#
	30	# Local policy
	31	#
	32
37194ac0	33	allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
9e725d8a	34	dontaudit dnsmasq_t self:capability sys_tty_config;
01e9e7db	35	allow dnsmasq_t self:process { getcap setcap signal_perms };
0b36a214	36	allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
ed38ca9f	37	allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
9e725d8a CP	38	allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
	39	allow dnsmasq_t self:udp_socket create_socket_perms;
	40	allow dnsmasq_t self:packet_socket create_socket_perms;
	41	allow dnsmasq_t self:rawip_socket create_socket_perms;
	42
37194ac0	43	read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
1031ee6f	44
9e725d8a	45	# dhcp leases
01e9e7db	46	manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
3f67f722	47	files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
9e725d8a	48
37194ac0 JS	49	manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
	50	logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
	51
0bfccda4 CP	52	manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
0bfccda4 CP	53	files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
9e725d8a CP	54
9e725d8a CP	55	kernel_read_kernel_sysctls(dnsmasq_t)
8f17f7c2	56	kernel_read_system_state(dnsmasq_t)
9e725d8a	57
19006686 CP	58	corenet_all_recvfrom_unlabeled(dnsmasq_t)
19006686 CP	59	corenet_all_recvfrom_netlabel(dnsmasq_t)
9e725d8a CP	60	corenet_tcp_sendrecv_generic_if(dnsmasq_t)
	61	corenet_udp_sendrecv_generic_if(dnsmasq_t)
	62	corenet_raw_sendrecv_generic_if(dnsmasq_t)
c1262146 CP	63	corenet_tcp_sendrecv_generic_node(dnsmasq_t)
	64	corenet_udp_sendrecv_generic_node(dnsmasq_t)
	65	corenet_raw_sendrecv_generic_node(dnsmasq_t)
9e725d8a CP	66	corenet_tcp_sendrecv_all_ports(dnsmasq_t)
9e725d8a CP	67	corenet_udp_sendrecv_all_ports(dnsmasq_t)
c1262146 CP	68	corenet_tcp_bind_generic_node(dnsmasq_t)
c1262146 CP	69	corenet_udp_bind_generic_node(dnsmasq_t)
9e725d8a	70	corenet_tcp_bind_dns_port(dnsmasq_t)
01e9e7db	71	corenet_udp_bind_all_ports(dnsmasq_t)
141cffdd CP	72	corenet_sendrecv_dns_server_packets(dnsmasq_t)
141cffdd CP	73	corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
9e725d8a CP	74
	75	dev_read_sysfs(dnsmasq_t)
	76	dev_read_urand(dnsmasq_t)
	77
	78	domain_use_interactive_fds(dnsmasq_t)
	79
27eab81f	80	files_read_etc_files(dnsmasq_t)
8f800d48	81	files_read_etc_runtime_files(dnsmasq_t)
9e725d8a CP	82
	83	fs_getattr_all_fs(dnsmasq_t)
	84	fs_search_auto_mountpoints(dnsmasq_t)
	85
8f800d48 CP	86	auth_use_nsswitch(dnsmasq_t)
8f800d48 CP	87
9e725d8a CP	88	logging_send_syslog_msg(dnsmasq_t)
	89
	90	miscfiles_read_localization(dnsmasq_t)
	91
9e725d8a	92	userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
296273a7	93	userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
9e725d8a	94
37194ac0 JS	95	optional_policy(`
	96	cobbler_read_lib_files(dnsmasq_t)
	97	')
	98
	99	optional_policy(`
	100	dbus_system_bus_client(dnsmasq_t)
	101	')
	102
9e725d8a CP	103	optional_policy(`
	104	seutil_sigchld_newrole(dnsmasq_t)
	105	')
	106
8f17f7c2 CP	107	optional_policy(`
	108	tftp_read_content(dnsmasq_t)
	109	')
	110
9e725d8a CP	111	optional_policy(`
	112	udev_read_db(dnsmasq_t)
	113	')
01e9e7db CP	114
	115	optional_policy(`
	116	virt_manage_lib_files(dnsmasq_t)
8f800d48	117	virt_read_pid_files(dnsmasq_t)
01e9e7db	118	')