]>
Commit | Line | Data |
---|---|---|
9e725d8a | 1 | |
0251df3e | 2 | policy_module(dnsmasq,1.3.0) |
9e725d8a CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dnsmasq_t; | |
10 | type dnsmasq_exec_t; | |
11 | init_daemon_domain(dnsmasq_t,dnsmasq_exec_t) | |
12 | ||
13 | type dnsmasq_lease_t; | |
14 | files_type(dnsmasq_lease_t) | |
15 | ||
16 | type dnsmasq_var_run_t; | |
17 | files_pid_file(dnsmasq_var_run_t) | |
18 | ||
19 | ######################################## | |
20 | # | |
21 | # Local policy | |
22 | # | |
23 | ||
ed38ca9f | 24 | allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw }; |
9e725d8a | 25 | dontaudit dnsmasq_t self:capability sys_tty_config; |
ed38ca9f CP |
26 | allow dnsmasq_t self:process { setcap signal_perms }; |
27 | allow dnsmasq_t self:fifo_file { read write }; | |
28 | allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; | |
9e725d8a CP |
29 | allow dnsmasq_t self:tcp_socket create_stream_socket_perms; |
30 | allow dnsmasq_t self:udp_socket create_socket_perms; | |
31 | allow dnsmasq_t self:packet_socket create_socket_perms; | |
32 | allow dnsmasq_t self:rawip_socket create_socket_perms; | |
33 | ||
34 | # dhcp leases | |
35 | allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms; | |
36 | files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) | |
37 | ||
c0868a7a | 38 | manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t) |
9e725d8a CP |
39 | files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file) |
40 | ||
41 | kernel_read_kernel_sysctls(dnsmasq_t) | |
42 | kernel_list_proc(dnsmasq_t) | |
43 | kernel_read_proc_symlinks(dnsmasq_t) | |
44 | ||
141cffdd | 45 | corenet_non_ipsec_sendrecv(dnsmasq_t) |
9e725d8a CP |
46 | corenet_tcp_sendrecv_generic_if(dnsmasq_t) |
47 | corenet_udp_sendrecv_generic_if(dnsmasq_t) | |
48 | corenet_raw_sendrecv_generic_if(dnsmasq_t) | |
49 | corenet_tcp_sendrecv_all_nodes(dnsmasq_t) | |
50 | corenet_udp_sendrecv_all_nodes(dnsmasq_t) | |
51 | corenet_raw_sendrecv_all_nodes(dnsmasq_t) | |
52 | corenet_tcp_sendrecv_all_ports(dnsmasq_t) | |
53 | corenet_udp_sendrecv_all_ports(dnsmasq_t) | |
9e725d8a CP |
54 | corenet_tcp_bind_all_nodes(dnsmasq_t) |
55 | corenet_udp_bind_all_nodes(dnsmasq_t) | |
56 | corenet_tcp_bind_dns_port(dnsmasq_t) | |
57 | corenet_udp_bind_dns_port(dnsmasq_t) | |
58 | corenet_udp_bind_dhcpd_port(dnsmasq_t) | |
141cffdd CP |
59 | corenet_sendrecv_dns_server_packets(dnsmasq_t) |
60 | corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) | |
9e725d8a CP |
61 | |
62 | dev_read_sysfs(dnsmasq_t) | |
63 | dev_read_urand(dnsmasq_t) | |
64 | ||
65 | domain_use_interactive_fds(dnsmasq_t) | |
66 | ||
67 | # allow access to dnsmasq.conf | |
68 | files_read_etc_files(dnsmasq_t) | |
69 | ||
70 | fs_getattr_all_fs(dnsmasq_t) | |
71 | fs_search_auto_mountpoints(dnsmasq_t) | |
72 | ||
9e725d8a CP |
73 | libs_use_ld_so(dnsmasq_t) |
74 | libs_use_shared_libs(dnsmasq_t) | |
75 | ||
76 | logging_send_syslog_msg(dnsmasq_t) | |
77 | ||
78 | miscfiles_read_localization(dnsmasq_t) | |
79 | ||
80 | sysnet_read_config(dnsmasq_t) | |
81 | ||
82 | userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) | |
83 | userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t) | |
84 | ||
85 | ifdef(`targeted_policy',` | |
86 | term_dontaudit_use_unallocated_ttys(dnsmasq_t) | |
87 | term_dontaudit_use_generic_ptys(dnsmasq_t) | |
88 | files_dontaudit_read_root_files(dnsmasq_t) | |
89 | ') | |
90 | ||
91 | optional_policy(` | |
92 | nis_use_ypbind(dnsmasq_t) | |
93 | ') | |
94 | ||
95 | optional_policy(` | |
96 | seutil_sigchld_newrole(dnsmasq_t) | |
97 | ') | |
98 | ||
99 | optional_policy(` | |
100 | udev_read_db(dnsmasq_t) | |
101 | ') |