[people/stevee/selinux-policy.git] / policy / modules / services / dnsmasq.te


policy_module(dnsmasq, 1.6.0)

########################################
#
# Declarations
#

type dnsmasq_t;
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)

type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)

type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)

########################################
#
# Local policy
#

allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { setcap signal_perms };
allow dnsmasq_t self:fifo_file { read write };
allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;

# dhcp leases
allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)

manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)

kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)

corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
corenet_udp_sendrecv_all_nodes(dnsmasq_t)
corenet_raw_sendrecv_all_nodes(dnsmasq_t)
corenet_tcp_sendrecv_all_ports(dnsmasq_t)
corenet_udp_sendrecv_all_ports(dnsmasq_t)
corenet_tcp_bind_all_nodes(dnsmasq_t)
corenet_udp_bind_all_nodes(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dhcpd_port(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)

dev_read_sysfs(dnsmasq_t)
dev_read_urand(dnsmasq_t)

domain_use_interactive_fds(dnsmasq_t)

# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)

fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)

libs_use_ld_so(dnsmasq_t)
libs_use_shared_libs(dnsmasq_t)

logging_send_syslog_msg(dnsmasq_t)

miscfiles_read_localization(dnsmasq_t)

sysnet_read_config(dnsmasq_t)

userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)

sysadm_dontaudit_search_home_dirs(dnsmasq_t)

optional_policy(`
	nis_use_ypbind(dnsmasq_t)
')

optional_policy(`
	seutil_sigchld_newrole(dnsmasq_t)
')

optional_policy(`
	udev_read_db(dnsmasq_t)
')
Commit	Line	Data
9e725d8a	1
cfcf5004	2	policy_module(dnsmasq, 1.6.0)
9e725d8a CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dnsmasq_t;
	10	type dnsmasq_exec_t;
	11	init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
	12
	13	type dnsmasq_lease_t;
	14	files_type(dnsmasq_lease_t)
	15
	16	type dnsmasq_var_run_t;
	17	files_pid_file(dnsmasq_var_run_t)
	18
	19	########################################
	20	#
	21	# Local policy
	22	#
	23
ed38ca9f	24	allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
9e725d8a	25	dontaudit dnsmasq_t self:capability sys_tty_config;
ed38ca9f CP	26	allow dnsmasq_t self:process { setcap signal_perms };
	27	allow dnsmasq_t self:fifo_file { read write };
	28	allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
9e725d8a CP	29	allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
	30	allow dnsmasq_t self:udp_socket create_socket_perms;
	31	allow dnsmasq_t self:packet_socket create_socket_perms;
	32	allow dnsmasq_t self:rawip_socket create_socket_perms;
	33
	34	# dhcp leases
	35	allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
	36	files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
	37
c0868a7a	38	manage_files_pattern(dnsmasq_t,dnsmasq_var_run_t,dnsmasq_var_run_t)
9e725d8a CP	39	files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
	40
	41	kernel_read_kernel_sysctls(dnsmasq_t)
	42	kernel_list_proc(dnsmasq_t)
	43	kernel_read_proc_symlinks(dnsmasq_t)
	44
19006686 CP	45	corenet_all_recvfrom_unlabeled(dnsmasq_t)
19006686 CP	46	corenet_all_recvfrom_netlabel(dnsmasq_t)
9e725d8a CP	47	corenet_tcp_sendrecv_generic_if(dnsmasq_t)
	48	corenet_udp_sendrecv_generic_if(dnsmasq_t)
	49	corenet_raw_sendrecv_generic_if(dnsmasq_t)
	50	corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
	51	corenet_udp_sendrecv_all_nodes(dnsmasq_t)
	52	corenet_raw_sendrecv_all_nodes(dnsmasq_t)
	53	corenet_tcp_sendrecv_all_ports(dnsmasq_t)
	54	corenet_udp_sendrecv_all_ports(dnsmasq_t)
9e725d8a CP	55	corenet_tcp_bind_all_nodes(dnsmasq_t)
	56	corenet_udp_bind_all_nodes(dnsmasq_t)
	57	corenet_tcp_bind_dns_port(dnsmasq_t)
	58	corenet_udp_bind_dns_port(dnsmasq_t)
	59	corenet_udp_bind_dhcpd_port(dnsmasq_t)
141cffdd CP	60	corenet_sendrecv_dns_server_packets(dnsmasq_t)
141cffdd CP	61	corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
9e725d8a CP	62
	63	dev_read_sysfs(dnsmasq_t)
	64	dev_read_urand(dnsmasq_t)
	65
	66	domain_use_interactive_fds(dnsmasq_t)
	67
	68	# allow access to dnsmasq.conf
	69	files_read_etc_files(dnsmasq_t)
	70
	71	fs_getattr_all_fs(dnsmasq_t)
	72	fs_search_auto_mountpoints(dnsmasq_t)
	73
9e725d8a CP	74	libs_use_ld_so(dnsmasq_t)
	75	libs_use_shared_libs(dnsmasq_t)
	76
	77	logging_send_syslog_msg(dnsmasq_t)
	78
	79	miscfiles_read_localization(dnsmasq_t)
	80
	81	sysnet_read_config(dnsmasq_t)
	82
	83	userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
e9c6cda7 CP	84
e9c6cda7 CP	85	sysadm_dontaudit_search_home_dirs(dnsmasq_t)
9e725d8a	86
9e725d8a CP	87	optional_policy(`
	88	nis_use_ypbind(dnsmasq_t)
	89	')
	90
	91	optional_policy(`
	92	seutil_sigchld_newrole(dnsmasq_t)
	93	')
	94
	95	optional_policy(`
	96	udev_read_db(dnsmasq_t)
	97	')