[people/stevee/selinux-policy.git] / policy / modules / services / dnsmasq.te


policy_module(dnsmasq,1.3.0)

########################################
#
# Declarations
#

type dnsmasq_t;
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)

type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)

type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)

########################################
#
# Local policy
#

allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { setcap signal_perms };
allow dnsmasq_t self:fifo_file { read write };
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;

# dhcp leases
allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)

manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)

kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)

corenet_non_ipsec_sendrecv(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
corenet_udp_sendrecv_all_nodes(dnsmasq_t)
corenet_raw_sendrecv_all_nodes(dnsmasq_t)
corenet_tcp_sendrecv_all_ports(dnsmasq_t)
corenet_udp_sendrecv_all_ports(dnsmasq_t)
corenet_tcp_bind_all_nodes(dnsmasq_t)
corenet_udp_bind_all_nodes(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dhcpd_port(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)

dev_read_sysfs(dnsmasq_t)
dev_read_urand(dnsmasq_t)

domain_use_interactive_fds(dnsmasq_t)

# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)

fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)

libs_use_ld_so(dnsmasq_t)
libs_use_shared_libs(dnsmasq_t)

logging_send_syslog_msg(dnsmasq_t)

miscfiles_read_localization(dnsmasq_t)

sysnet_read_config(dnsmasq_t)

userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(dnsmasq_t)
	term_dontaudit_use_generic_ptys(dnsmasq_t)
	files_dontaudit_read_root_files(dnsmasq_t)
')

optional_policy(`
	nis_use_ypbind(dnsmasq_t)
')

optional_policy(`
	seutil_sigchld_newrole(dnsmasq_t)
')

optional_policy(`
	udev_read_db(dnsmasq_t)
')
Commit	Line	Data
9e725d8a	1
0251df3e	2	policy_module(dnsmasq,1.3.0)
9e725d8a CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dnsmasq_t;
	10	type dnsmasq_exec_t;
	11	init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
	12
	13	type dnsmasq_lease_t;
	14	files_type(dnsmasq_lease_t)
	15
	16	type dnsmasq_var_run_t;
	17	files_pid_file(dnsmasq_var_run_t)
	18
	19	########################################
	20	#
	21	# Local policy
	22	#
	23
ed38ca9f	24	allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
9e725d8a	25	dontaudit dnsmasq_t self:capability sys_tty_config;
ed38ca9f CP	26	allow dnsmasq_t self:process { setcap signal_perms };
	27	allow dnsmasq_t self:fifo_file { read write };
	28	allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
9e725d8a CP	29	allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
	30	allow dnsmasq_t self:udp_socket create_socket_perms;
	31	allow dnsmasq_t self:packet_socket create_socket_perms;
	32	allow dnsmasq_t self:rawip_socket create_socket_perms;
	33
	34	# dhcp leases
	35	allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
	36	files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
	37
c0868a7a	38	manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
9e725d8a CP	39	files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
	40
	41	kernel_read_kernel_sysctls(dnsmasq_t)
	42	kernel_list_proc(dnsmasq_t)
	43	kernel_read_proc_symlinks(dnsmasq_t)
	44
141cffdd	45	corenet_non_ipsec_sendrecv(dnsmasq_t)
9e725d8a CP	46	corenet_tcp_sendrecv_generic_if(dnsmasq_t)
	47	corenet_udp_sendrecv_generic_if(dnsmasq_t)
	48	corenet_raw_sendrecv_generic_if(dnsmasq_t)
	49	corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
	50	corenet_udp_sendrecv_all_nodes(dnsmasq_t)
	51	corenet_raw_sendrecv_all_nodes(dnsmasq_t)
	52	corenet_tcp_sendrecv_all_ports(dnsmasq_t)
	53	corenet_udp_sendrecv_all_ports(dnsmasq_t)
9e725d8a CP	54	corenet_tcp_bind_all_nodes(dnsmasq_t)
	55	corenet_udp_bind_all_nodes(dnsmasq_t)
	56	corenet_tcp_bind_dns_port(dnsmasq_t)
	57	corenet_udp_bind_dns_port(dnsmasq_t)
	58	corenet_udp_bind_dhcpd_port(dnsmasq_t)
141cffdd CP	59	corenet_sendrecv_dns_server_packets(dnsmasq_t)
141cffdd CP	60	corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
9e725d8a CP	61
	62	dev_read_sysfs(dnsmasq_t)
	63	dev_read_urand(dnsmasq_t)
	64
	65	domain_use_interactive_fds(dnsmasq_t)
	66
	67	# allow access to dnsmasq.conf
	68	files_read_etc_files(dnsmasq_t)
	69
	70	fs_getattr_all_fs(dnsmasq_t)
	71	fs_search_auto_mountpoints(dnsmasq_t)
	72
9e725d8a CP	73	libs_use_ld_so(dnsmasq_t)
	74	libs_use_shared_libs(dnsmasq_t)
	75
	76	logging_send_syslog_msg(dnsmasq_t)
	77
	78	miscfiles_read_localization(dnsmasq_t)
	79
	80	sysnet_read_config(dnsmasq_t)
	81
	82	userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
	83	userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
	84
	85	ifdef(`targeted_policy',`
	86	term_dontaudit_use_unallocated_ttys(dnsmasq_t)
	87	term_dontaudit_use_generic_ptys(dnsmasq_t)
	88	files_dontaudit_read_root_files(dnsmasq_t)
	89	')
	90
	91	optional_policy(`
	92	nis_use_ypbind(dnsmasq_t)
	93	')
	94
	95	optional_policy(`
	96	seutil_sigchld_newrole(dnsmasq_t)
	97	')
	98
	99	optional_policy(`
	100	udev_read_db(dnsmasq_t)
	101	')