]>
Commit | Line | Data |
---|---|---|
9e725d8a | 1 | |
cfcf5004 | 2 | policy_module(dnsmasq, 1.6.0) |
9e725d8a CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dnsmasq_t; | |
10 | type dnsmasq_exec_t; | |
11 | init_daemon_domain(dnsmasq_t,dnsmasq_exec_t) | |
12 | ||
13 | type dnsmasq_lease_t; | |
14 | files_type(dnsmasq_lease_t) | |
15 | ||
16 | type dnsmasq_var_run_t; | |
17 | files_pid_file(dnsmasq_var_run_t) | |
18 | ||
19 | ######################################## | |
20 | # | |
21 | # Local policy | |
22 | # | |
23 | ||
ed38ca9f | 24 | allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw }; |
9e725d8a | 25 | dontaudit dnsmasq_t self:capability sys_tty_config; |
ed38ca9f CP |
26 | allow dnsmasq_t self:process { setcap signal_perms }; |
27 | allow dnsmasq_t self:fifo_file { read write }; | |
28 | allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; | |
9e725d8a CP |
29 | allow dnsmasq_t self:tcp_socket create_stream_socket_perms; |
30 | allow dnsmasq_t self:udp_socket create_socket_perms; | |
31 | allow dnsmasq_t self:packet_socket create_socket_perms; | |
32 | allow dnsmasq_t self:rawip_socket create_socket_perms; | |
33 | ||
34 | # dhcp leases | |
35 | allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms; | |
36 | files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) | |
37 | ||
c0868a7a | 38 | manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t) |
9e725d8a CP |
39 | files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file) |
40 | ||
41 | kernel_read_kernel_sysctls(dnsmasq_t) | |
42 | kernel_list_proc(dnsmasq_t) | |
43 | kernel_read_proc_symlinks(dnsmasq_t) | |
44 | ||
19006686 CP |
45 | corenet_all_recvfrom_unlabeled(dnsmasq_t) |
46 | corenet_all_recvfrom_netlabel(dnsmasq_t) | |
9e725d8a CP |
47 | corenet_tcp_sendrecv_generic_if(dnsmasq_t) |
48 | corenet_udp_sendrecv_generic_if(dnsmasq_t) | |
49 | corenet_raw_sendrecv_generic_if(dnsmasq_t) | |
50 | corenet_tcp_sendrecv_all_nodes(dnsmasq_t) | |
51 | corenet_udp_sendrecv_all_nodes(dnsmasq_t) | |
52 | corenet_raw_sendrecv_all_nodes(dnsmasq_t) | |
53 | corenet_tcp_sendrecv_all_ports(dnsmasq_t) | |
54 | corenet_udp_sendrecv_all_ports(dnsmasq_t) | |
9e725d8a CP |
55 | corenet_tcp_bind_all_nodes(dnsmasq_t) |
56 | corenet_udp_bind_all_nodes(dnsmasq_t) | |
57 | corenet_tcp_bind_dns_port(dnsmasq_t) | |
58 | corenet_udp_bind_dns_port(dnsmasq_t) | |
59 | corenet_udp_bind_dhcpd_port(dnsmasq_t) | |
141cffdd CP |
60 | corenet_sendrecv_dns_server_packets(dnsmasq_t) |
61 | corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) | |
9e725d8a CP |
62 | |
63 | dev_read_sysfs(dnsmasq_t) | |
64 | dev_read_urand(dnsmasq_t) | |
65 | ||
66 | domain_use_interactive_fds(dnsmasq_t) | |
67 | ||
68 | # allow access to dnsmasq.conf | |
69 | files_read_etc_files(dnsmasq_t) | |
70 | ||
71 | fs_getattr_all_fs(dnsmasq_t) | |
72 | fs_search_auto_mountpoints(dnsmasq_t) | |
73 | ||
9e725d8a CP |
74 | libs_use_ld_so(dnsmasq_t) |
75 | libs_use_shared_libs(dnsmasq_t) | |
76 | ||
77 | logging_send_syslog_msg(dnsmasq_t) | |
78 | ||
79 | miscfiles_read_localization(dnsmasq_t) | |
80 | ||
81 | sysnet_read_config(dnsmasq_t) | |
82 | ||
83 | userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) | |
e9c6cda7 CP |
84 | |
85 | sysadm_dontaudit_search_home_dirs(dnsmasq_t) | |
9e725d8a | 86 | |
9e725d8a CP |
87 | optional_policy(` |
88 | nis_use_ypbind(dnsmasq_t) | |
89 | ') | |
90 | ||
91 | optional_policy(` | |
92 | seutil_sigchld_newrole(dnsmasq_t) | |
93 | ') | |
94 | ||
95 | optional_policy(` | |
96 | udev_read_db(dnsmasq_t) | |
97 | ') |