[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / dhcp.te


policy_module(dhcp,1.1.0)

########################################
#
# Declarations
#

type dhcpd_t;
type dhcpd_exec_t;
init_daemon_domain(dhcpd_t,dhcpd_exec_t)

type dhcpd_state_t;
files_type(dhcpd_state_t)

type dhcpd_tmp_t;
files_tmp_file(dhcpd_tmp_t)

type dhcpd_var_run_t;
files_pid_file(dhcpd_var_run_t)

########################################
#
# Local policy
#

allow dhcpd_t self:capability net_raw;
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr };
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
allow dhcpd_t self:tcp_socket create_stream_socket_perms;
allow dhcpd_t self:udp_socket create_socket_perms;
# Allow dhcpd_t to use packet sockets
allow dhcpd_t self:packet_socket create_socket_perms;
allow dhcpd_t self:rawip_socket create_socket_perms;

can_exec(dhcpd_t,dhcpd_exec_t)

allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
allow dhcpd_t dhcpd_state_t:file create_file_perms;
sysnet_filetrans_dhcp_state(dhcpd_t,dhcpd_state_t)

allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
files_filetrans_tmp(dhcpd_t, dhcpd_tmp_t, { file dir })

allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
files_filetrans_pid(dhcpd_t,dhcpd_var_run_t)

kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)

corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
corenet_raw_sendrecv_all_if(dhcpd_t)
corenet_tcp_sendrecv_all_nodes(dhcpd_t)
corenet_udp_sendrecv_all_nodes(dhcpd_t)
corenet_raw_sendrecv_all_nodes(dhcpd_t)
corenet_tcp_sendrecv_all_ports(dhcpd_t)
corenet_udp_sendrecv_all_ports(dhcpd_t)
corenet_non_ipsec_sendrecv(dhcpd_t)
corenet_tcp_bind_all_nodes(dhcpd_t)
corenet_udp_bind_all_nodes(dhcpd_t)
corenet_tcp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_dhcpd_port(dhcpd_t)
corenet_udp_bind_pxe_port(dhcpd_t)
corenet_tcp_connect_all_ports(dhcpd_t)

dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
dev_read_urand(dhcpd_t)

fs_getattr_all_fs(dhcpd_t)
fs_search_auto_mountpoints(dhcpd_t)

term_dontaudit_use_console(dhcpd_t)

corecmd_exec_bin(dhcpd_t)
corecmd_exec_sbin(dhcpd_t)

domain_use_interactive_fds(dhcpd_t)

files_read_etc_files(dhcpd_t)
files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)

init_use_fd(dhcpd_t)
init_use_script_ptys(dhcpd_t)

libs_use_ld_so(dhcpd_t)
libs_use_shared_libs(dhcpd_t)

logging_send_syslog_msg(dhcpd_t)

miscfiles_read_localization(dhcpd_t)

sysnet_read_config(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)

userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
userdom_dontaudit_search_sysadm_home_dir(dhcpd_t)

ifdef(`distro_gentoo',`
	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(dhcpd_t)
	term_dontaudit_use_generic_ptys(dhcpd_t)
	files_dontaudit_read_root_files(dhcpd_t)
')

optional_policy(`bind',`
	# used for dynamic DNS
	bind_read_dnssec_keys(dhcpd_t)
')

optional_policy(`mount',`
	mount_send_nfs_client_request(dhcpd_t)
')

optional_policy(`nis',`
	nis_use_ypbind(dhcpd_t)
')

optional_policy(`nscd',`
	nscd_socket_use(dhcpd_t)
')

optional_policy(`selinuxutil',`
	seutil_sigchld_newrole(dhcpd_t)
')

optional_policy(`udev',`
	udev_read_db(dhcpd_t)
')
Commit	Line	Data
7c8fc35b	1
5ea24be9	2	policy_module(dhcp,1.1.0)
7c8fc35b CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dhcpd_t;
	10	type dhcpd_exec_t;
	11	init_daemon_domain(dhcpd_t,dhcpd_exec_t)
	12
	13	type dhcpd_state_t;
	14	files_type(dhcpd_state_t)
	15
	16	type dhcpd_tmp_t;
	17	files_tmp_file(dhcpd_tmp_t)
	18
	19	type dhcpd_var_run_t;
	20	files_pid_file(dhcpd_var_run_t)
	21
	22	########################################
	23	#
	24	# Local policy
	25	#
	26
7b90f2db CP	27	allow dhcpd_t self:capability net_raw;
7b90f2db CP	28	dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
681c9a02	29	allow dhcpd_t self:process signal_perms;
7c8fc35b CP	30	allow dhcpd_t self:fifo_file { read write getattr };
	31	allow dhcpd_t self:unix_dgram_socket create_socket_perms;
	32	allow dhcpd_t self:unix_stream_socket create_socket_perms;
	33	allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
	34	allow dhcpd_t self:tcp_socket create_stream_socket_perms;
	35	allow dhcpd_t self:udp_socket create_socket_perms;
	36	# Allow dhcpd_t to use packet sockets
	37	allow dhcpd_t self:packet_socket create_socket_perms;
	38	allow dhcpd_t self:rawip_socket create_socket_perms;
	39
	40	can_exec(dhcpd_t,dhcpd_exec_t)
	41
7b90f2db	42	allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
7c8fc35b	43	allow dhcpd_t dhcpd_state_t:file create_file_perms;
9d594986	44	sysnet_filetrans_dhcp_state(dhcpd_t,dhcpd_state_t)
7c8fc35b CP	45
	46	allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
	47	allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
9d594986	48	files_filetrans_tmp(dhcpd_t, dhcpd_tmp_t, { file dir })
7c8fc35b CP	49
7c8fc35b CP	50	allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
33acca55	51	allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
9d594986	52	files_filetrans_pid(dhcpd_t,dhcpd_var_run_t)
7c8fc35b CP	53
7c8fc35b CP	54	kernel_read_system_state(dhcpd_t)
445522dc	55	kernel_read_kernel_sysctls(dhcpd_t)
7c8fc35b CP	56
	57	corenet_tcp_sendrecv_all_if(dhcpd_t)
	58	corenet_udp_sendrecv_all_if(dhcpd_t)
	59	corenet_raw_sendrecv_all_if(dhcpd_t)
	60	corenet_tcp_sendrecv_all_nodes(dhcpd_t)
	61	corenet_udp_sendrecv_all_nodes(dhcpd_t)
	62	corenet_raw_sendrecv_all_nodes(dhcpd_t)
	63	corenet_tcp_sendrecv_all_ports(dhcpd_t)
	64	corenet_udp_sendrecv_all_ports(dhcpd_t)
bd70373d	65	corenet_non_ipsec_sendrecv(dhcpd_t)
7c8fc35b CP	66	corenet_tcp_bind_all_nodes(dhcpd_t)
7c8fc35b CP	67	corenet_udp_bind_all_nodes(dhcpd_t)
77f6e2cd	68	corenet_tcp_bind_dhcpd_port(dhcpd_t)
7c8fc35b CP	69	corenet_udp_bind_dhcpd_port(dhcpd_t)
7c8fc35b CP	70	corenet_udp_bind_pxe_port(dhcpd_t)
a0824843	71	corenet_tcp_connect_all_ports(dhcpd_t)
7c8fc35b CP	72
	73	dev_read_sysfs(dhcpd_t)
	74	dev_read_rand(dhcpd_t)
	75	dev_read_urand(dhcpd_t)
	76
	77	fs_getattr_all_fs(dhcpd_t)
	78	fs_search_auto_mountpoints(dhcpd_t)
	79
	80	term_dontaudit_use_console(dhcpd_t)
	81
	82	corecmd_exec_bin(dhcpd_t)
	83	corecmd_exec_sbin(dhcpd_t)
	84
15722ec9	85	domain_use_interactive_fds(dhcpd_t)
7c8fc35b CP	86
	87	files_read_etc_files(dhcpd_t)
	88	files_read_usr_files(dhcpd_t)
	89	files_read_etc_runtime_files(dhcpd_t)
	90	files_search_var_lib(dhcpd_t)
	91
	92	init_use_fd(dhcpd_t)
1815bad1	93	init_use_script_ptys(dhcpd_t)
7c8fc35b CP	94
	95	libs_use_ld_so(dhcpd_t)
	96	libs_use_shared_libs(dhcpd_t)
	97
	98	logging_send_syslog_msg(dhcpd_t)
	99
	100	miscfiles_read_localization(dhcpd_t)
	101
	102	sysnet_read_config(dhcpd_t)
	103	sysnet_read_dhcp_config(dhcpd_t)
	104
15722ec9	105	userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
7c8fc35b CP	106	userdom_dontaudit_search_sysadm_home_dir(dhcpd_t)
	107
	108	ifdef(`distro_gentoo',`
	109	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
	110	')
	111
	112	ifdef(`targeted_policy',`
1815bad1 CP	113	term_dontaudit_use_unallocated_ttys(dhcpd_t)
1815bad1 CP	114	term_dontaudit_use_generic_ptys(dhcpd_t)
9e04f5c5	115	files_dontaudit_read_root_files(dhcpd_t)
7c8fc35b CP	116	')
7c8fc35b CP	117
1328802a	118	optional_policy(`bind',`
7c8fc35b CP	119	# used for dynamic DNS
	120	bind_read_dnssec_keys(dhcpd_t)
	121	')
	122
1328802a	123	optional_policy(`mount',`
7c8fc35b CP	124	mount_send_nfs_client_request(dhcpd_t)
	125	')
	126
1328802a	127	optional_policy(`nis',`
7c8fc35b CP	128	nis_use_ypbind(dhcpd_t)
	129	')
	130
1328802a	131	optional_policy(`nscd',`
1815bad1	132	nscd_socket_use(dhcpd_t)
a0824843 CP	133	')
a0824843 CP	134
1328802a	135	optional_policy(`selinuxutil',`
7c8fc35b CP	136	seutil_sigchld_newrole(dhcpd_t)
	137	')
	138
1328802a	139	optional_policy(`udev',`
7c8fc35b CP	140	udev_read_db(dhcpd_t)
7c8fc35b CP	141	')