]>
Commit | Line | Data |
---|---|---|
7c8fc35b | 1 | |
5ea24be9 | 2 | policy_module(dhcp,1.1.0) |
7c8fc35b CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dhcpd_t; | |
10 | type dhcpd_exec_t; | |
11 | init_daemon_domain(dhcpd_t,dhcpd_exec_t) | |
12 | ||
13 | type dhcpd_state_t; | |
14 | files_type(dhcpd_state_t) | |
15 | ||
16 | type dhcpd_tmp_t; | |
17 | files_tmp_file(dhcpd_tmp_t) | |
18 | ||
19 | type dhcpd_var_run_t; | |
20 | files_pid_file(dhcpd_var_run_t) | |
21 | ||
22 | ######################################## | |
23 | # | |
24 | # Local policy | |
25 | # | |
26 | ||
7b90f2db CP |
27 | allow dhcpd_t self:capability net_raw; |
28 | dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; | |
681c9a02 | 29 | allow dhcpd_t self:process signal_perms; |
7c8fc35b CP |
30 | allow dhcpd_t self:fifo_file { read write getattr }; |
31 | allow dhcpd_t self:unix_dgram_socket create_socket_perms; | |
32 | allow dhcpd_t self:unix_stream_socket create_socket_perms; | |
33 | allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms; | |
34 | allow dhcpd_t self:tcp_socket create_stream_socket_perms; | |
35 | allow dhcpd_t self:udp_socket create_socket_perms; | |
36 | # Allow dhcpd_t to use packet sockets | |
37 | allow dhcpd_t self:packet_socket create_socket_perms; | |
38 | allow dhcpd_t self:rawip_socket create_socket_perms; | |
39 | ||
40 | can_exec(dhcpd_t,dhcpd_exec_t) | |
41 | ||
7b90f2db | 42 | allow dhcpd_t dhcpd_state_t:dir rw_dir_perms; |
7c8fc35b | 43 | allow dhcpd_t dhcpd_state_t:file create_file_perms; |
9d594986 | 44 | sysnet_filetrans_dhcp_state(dhcpd_t,dhcpd_state_t) |
7c8fc35b CP |
45 | |
46 | allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms; | |
47 | allow dhcpd_t dhcpd_tmp_t:file create_file_perms; | |
9d594986 | 48 | files_filetrans_tmp(dhcpd_t, dhcpd_tmp_t, { file dir }) |
7c8fc35b CP |
49 | |
50 | allow dhcpd_t dhcpd_var_run_t:file create_file_perms; | |
33acca55 | 51 | allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; |
9d594986 | 52 | files_filetrans_pid(dhcpd_t,dhcpd_var_run_t) |
7c8fc35b CP |
53 | |
54 | kernel_read_system_state(dhcpd_t) | |
445522dc | 55 | kernel_read_kernel_sysctls(dhcpd_t) |
7c8fc35b CP |
56 | |
57 | corenet_tcp_sendrecv_all_if(dhcpd_t) | |
58 | corenet_udp_sendrecv_all_if(dhcpd_t) | |
59 | corenet_raw_sendrecv_all_if(dhcpd_t) | |
60 | corenet_tcp_sendrecv_all_nodes(dhcpd_t) | |
61 | corenet_udp_sendrecv_all_nodes(dhcpd_t) | |
62 | corenet_raw_sendrecv_all_nodes(dhcpd_t) | |
63 | corenet_tcp_sendrecv_all_ports(dhcpd_t) | |
64 | corenet_udp_sendrecv_all_ports(dhcpd_t) | |
bd70373d | 65 | corenet_non_ipsec_sendrecv(dhcpd_t) |
7c8fc35b CP |
66 | corenet_tcp_bind_all_nodes(dhcpd_t) |
67 | corenet_udp_bind_all_nodes(dhcpd_t) | |
77f6e2cd | 68 | corenet_tcp_bind_dhcpd_port(dhcpd_t) |
7c8fc35b CP |
69 | corenet_udp_bind_dhcpd_port(dhcpd_t) |
70 | corenet_udp_bind_pxe_port(dhcpd_t) | |
a0824843 | 71 | corenet_tcp_connect_all_ports(dhcpd_t) |
7c8fc35b CP |
72 | |
73 | dev_read_sysfs(dhcpd_t) | |
74 | dev_read_rand(dhcpd_t) | |
75 | dev_read_urand(dhcpd_t) | |
76 | ||
77 | fs_getattr_all_fs(dhcpd_t) | |
78 | fs_search_auto_mountpoints(dhcpd_t) | |
79 | ||
80 | term_dontaudit_use_console(dhcpd_t) | |
81 | ||
82 | corecmd_exec_bin(dhcpd_t) | |
83 | corecmd_exec_sbin(dhcpd_t) | |
84 | ||
15722ec9 | 85 | domain_use_interactive_fds(dhcpd_t) |
7c8fc35b CP |
86 | |
87 | files_read_etc_files(dhcpd_t) | |
88 | files_read_usr_files(dhcpd_t) | |
89 | files_read_etc_runtime_files(dhcpd_t) | |
90 | files_search_var_lib(dhcpd_t) | |
91 | ||
92 | init_use_fd(dhcpd_t) | |
1815bad1 | 93 | init_use_script_ptys(dhcpd_t) |
7c8fc35b CP |
94 | |
95 | libs_use_ld_so(dhcpd_t) | |
96 | libs_use_shared_libs(dhcpd_t) | |
97 | ||
98 | logging_send_syslog_msg(dhcpd_t) | |
99 | ||
100 | miscfiles_read_localization(dhcpd_t) | |
101 | ||
102 | sysnet_read_config(dhcpd_t) | |
103 | sysnet_read_dhcp_config(dhcpd_t) | |
104 | ||
15722ec9 | 105 | userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) |
7c8fc35b CP |
106 | userdom_dontaudit_search_sysadm_home_dir(dhcpd_t) |
107 | ||
108 | ifdef(`distro_gentoo',` | |
109 | allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; | |
110 | ') | |
111 | ||
112 | ifdef(`targeted_policy',` | |
1815bad1 CP |
113 | term_dontaudit_use_unallocated_ttys(dhcpd_t) |
114 | term_dontaudit_use_generic_ptys(dhcpd_t) | |
9e04f5c5 | 115 | files_dontaudit_read_root_files(dhcpd_t) |
7c8fc35b CP |
116 | ') |
117 | ||
1328802a | 118 | optional_policy(`bind',` |
7c8fc35b CP |
119 | # used for dynamic DNS |
120 | bind_read_dnssec_keys(dhcpd_t) | |
121 | ') | |
122 | ||
1328802a | 123 | optional_policy(`mount',` |
7c8fc35b CP |
124 | mount_send_nfs_client_request(dhcpd_t) |
125 | ') | |
126 | ||
1328802a | 127 | optional_policy(`nis',` |
7c8fc35b CP |
128 | nis_use_ypbind(dhcpd_t) |
129 | ') | |
130 | ||
1328802a | 131 | optional_policy(`nscd',` |
1815bad1 | 132 | nscd_socket_use(dhcpd_t) |
a0824843 CP |
133 | ') |
134 | ||
1328802a | 135 | optional_policy(`selinuxutil',` |
7c8fc35b CP |
136 | seutil_sigchld_newrole(dhcpd_t) |
137 | ') | |
138 | ||
1328802a | 139 | optional_policy(`udev',` |
7c8fc35b CP |
140 | udev_read_db(dhcpd_t) |
141 | ') |