]>
Commit | Line | Data |
---|---|---|
9e725d8a | 1 | |
29af4c13 | 2 | policy_module(dnsmasq, 1.9.0) |
9e725d8a CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dnsmasq_t; | |
10 | type dnsmasq_exec_t; | |
0bfccda4 | 11 | init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) |
9e725d8a | 12 | |
01e9e7db CP |
13 | type dnsmasq_initrc_exec_t; |
14 | init_script_file(dnsmasq_initrc_exec_t) | |
15 | ||
1031ee6f DG |
16 | type dnsmasq_etc_t; |
17 | files_config_file(dnsmasq_etc_t) | |
18 | ||
9e725d8a CP |
19 | type dnsmasq_lease_t; |
20 | files_type(dnsmasq_lease_t) | |
21 | ||
37194ac0 JS |
22 | type dnsmasq_var_log_t; |
23 | logging_log_file(dnsmasq_var_log_t) | |
24 | ||
9e725d8a CP |
25 | type dnsmasq_var_run_t; |
26 | files_pid_file(dnsmasq_var_run_t) | |
27 | ||
28 | ######################################## | |
29 | # | |
30 | # Local policy | |
31 | # | |
32 | ||
37194ac0 | 33 | allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw }; |
9e725d8a | 34 | dontaudit dnsmasq_t self:capability sys_tty_config; |
01e9e7db | 35 | allow dnsmasq_t self:process { getcap setcap signal_perms }; |
0b36a214 | 36 | allow dnsmasq_t self:fifo_file rw_fifo_file_perms; |
ed38ca9f | 37 | allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; |
9e725d8a CP |
38 | allow dnsmasq_t self:tcp_socket create_stream_socket_perms; |
39 | allow dnsmasq_t self:udp_socket create_socket_perms; | |
40 | allow dnsmasq_t self:packet_socket create_socket_perms; | |
41 | allow dnsmasq_t self:rawip_socket create_socket_perms; | |
42 | ||
37194ac0 | 43 | read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) |
1031ee6f | 44 | |
9e725d8a | 45 | # dhcp leases |
01e9e7db | 46 | manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) |
3f67f722 | 47 | files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) |
9e725d8a | 48 | |
37194ac0 JS |
49 | manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) |
50 | logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) | |
51 | ||
0bfccda4 CP |
52 | manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) |
53 | files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) | |
9e725d8a CP |
54 | |
55 | kernel_read_kernel_sysctls(dnsmasq_t) | |
8f17f7c2 | 56 | kernel_read_system_state(dnsmasq_t) |
9e725d8a | 57 | |
19006686 CP |
58 | corenet_all_recvfrom_unlabeled(dnsmasq_t) |
59 | corenet_all_recvfrom_netlabel(dnsmasq_t) | |
9e725d8a CP |
60 | corenet_tcp_sendrecv_generic_if(dnsmasq_t) |
61 | corenet_udp_sendrecv_generic_if(dnsmasq_t) | |
62 | corenet_raw_sendrecv_generic_if(dnsmasq_t) | |
c1262146 CP |
63 | corenet_tcp_sendrecv_generic_node(dnsmasq_t) |
64 | corenet_udp_sendrecv_generic_node(dnsmasq_t) | |
65 | corenet_raw_sendrecv_generic_node(dnsmasq_t) | |
9e725d8a CP |
66 | corenet_tcp_sendrecv_all_ports(dnsmasq_t) |
67 | corenet_udp_sendrecv_all_ports(dnsmasq_t) | |
c1262146 CP |
68 | corenet_tcp_bind_generic_node(dnsmasq_t) |
69 | corenet_udp_bind_generic_node(dnsmasq_t) | |
9e725d8a | 70 | corenet_tcp_bind_dns_port(dnsmasq_t) |
01e9e7db | 71 | corenet_udp_bind_all_ports(dnsmasq_t) |
141cffdd CP |
72 | corenet_sendrecv_dns_server_packets(dnsmasq_t) |
73 | corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) | |
9e725d8a CP |
74 | |
75 | dev_read_sysfs(dnsmasq_t) | |
76 | dev_read_urand(dnsmasq_t) | |
77 | ||
78 | domain_use_interactive_fds(dnsmasq_t) | |
79 | ||
27eab81f | 80 | files_read_etc_files(dnsmasq_t) |
8f800d48 | 81 | files_read_etc_runtime_files(dnsmasq_t) |
9e725d8a CP |
82 | |
83 | fs_getattr_all_fs(dnsmasq_t) | |
84 | fs_search_auto_mountpoints(dnsmasq_t) | |
85 | ||
8f800d48 CP |
86 | auth_use_nsswitch(dnsmasq_t) |
87 | ||
9e725d8a CP |
88 | logging_send_syslog_msg(dnsmasq_t) |
89 | ||
90 | miscfiles_read_localization(dnsmasq_t) | |
91 | ||
9e725d8a | 92 | userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) |
296273a7 | 93 | userdom_dontaudit_search_user_home_dirs(dnsmasq_t) |
9e725d8a | 94 | |
37194ac0 JS |
95 | optional_policy(` |
96 | cobbler_read_lib_files(dnsmasq_t) | |
97 | ') | |
98 | ||
99 | optional_policy(` | |
100 | dbus_system_bus_client(dnsmasq_t) | |
101 | ') | |
102 | ||
9e725d8a CP |
103 | optional_policy(` |
104 | seutil_sigchld_newrole(dnsmasq_t) | |
105 | ') | |
106 | ||
8f17f7c2 CP |
107 | optional_policy(` |
108 | tftp_read_content(dnsmasq_t) | |
109 | ') | |
110 | ||
9e725d8a CP |
111 | optional_policy(` |
112 | udev_read_db(dnsmasq_t) | |
113 | ') | |
01e9e7db CP |
114 | |
115 | optional_policy(` | |
116 | virt_manage_lib_files(dnsmasq_t) | |
8f800d48 | 117 | virt_read_pid_files(dnsmasq_t) |
01e9e7db | 118 | ') |