]>
Commit | Line | Data |
---|---|---|
9e725d8a CP |
1 | |
2 | policy_module(dnsmasq,1.0.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dnsmasq_t; | |
10 | type dnsmasq_exec_t; | |
11 | init_daemon_domain(dnsmasq_t,dnsmasq_exec_t) | |
12 | ||
13 | type dnsmasq_lease_t; | |
14 | files_type(dnsmasq_lease_t) | |
15 | ||
16 | type dnsmasq_var_run_t; | |
17 | files_pid_file(dnsmasq_var_run_t) | |
18 | ||
19 | ######################################## | |
20 | # | |
21 | # Local policy | |
22 | # | |
23 | ||
24 | allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw }; | |
25 | dontaudit dnsmasq_t self:capability sys_tty_config; | |
26 | allow dnsmasq_t self:process signal_perms; | |
27 | allow dnsmasq_t self:tcp_socket create_stream_socket_perms; | |
28 | allow dnsmasq_t self:udp_socket create_socket_perms; | |
29 | allow dnsmasq_t self:packet_socket create_socket_perms; | |
30 | allow dnsmasq_t self:rawip_socket create_socket_perms; | |
31 | ||
32 | # dhcp leases | |
33 | allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms; | |
34 | files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file) | |
35 | ||
36 | allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms; | |
37 | allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms; | |
38 | files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file) | |
39 | ||
40 | kernel_read_kernel_sysctls(dnsmasq_t) | |
41 | kernel_list_proc(dnsmasq_t) | |
42 | kernel_read_proc_symlinks(dnsmasq_t) | |
43 | ||
44 | corenet_tcp_sendrecv_generic_if(dnsmasq_t) | |
45 | corenet_udp_sendrecv_generic_if(dnsmasq_t) | |
46 | corenet_raw_sendrecv_generic_if(dnsmasq_t) | |
47 | corenet_tcp_sendrecv_all_nodes(dnsmasq_t) | |
48 | corenet_udp_sendrecv_all_nodes(dnsmasq_t) | |
49 | corenet_raw_sendrecv_all_nodes(dnsmasq_t) | |
50 | corenet_tcp_sendrecv_all_ports(dnsmasq_t) | |
51 | corenet_udp_sendrecv_all_ports(dnsmasq_t) | |
52 | corenet_non_ipsec_sendrecv(dnsmasq_t) | |
53 | corenet_tcp_bind_all_nodes(dnsmasq_t) | |
54 | corenet_udp_bind_all_nodes(dnsmasq_t) | |
55 | corenet_tcp_bind_dns_port(dnsmasq_t) | |
56 | corenet_udp_bind_dns_port(dnsmasq_t) | |
57 | corenet_udp_bind_dhcpd_port(dnsmasq_t) | |
58 | ||
59 | dev_read_sysfs(dnsmasq_t) | |
60 | dev_read_urand(dnsmasq_t) | |
61 | ||
62 | domain_use_interactive_fds(dnsmasq_t) | |
63 | ||
64 | # allow access to dnsmasq.conf | |
65 | files_read_etc_files(dnsmasq_t) | |
66 | ||
67 | fs_getattr_all_fs(dnsmasq_t) | |
68 | fs_search_auto_mountpoints(dnsmasq_t) | |
69 | ||
70 | term_dontaudit_use_console(dnsmasq_t) | |
71 | ||
72 | init_use_fds(dnsmasq_t) | |
73 | init_use_script_ptys(dnsmasq_t) | |
74 | ||
75 | libs_use_ld_so(dnsmasq_t) | |
76 | libs_use_shared_libs(dnsmasq_t) | |
77 | ||
78 | logging_send_syslog_msg(dnsmasq_t) | |
79 | ||
80 | miscfiles_read_localization(dnsmasq_t) | |
81 | ||
82 | sysnet_read_config(dnsmasq_t) | |
83 | ||
84 | userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) | |
85 | userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t) | |
86 | ||
87 | ifdef(`targeted_policy',` | |
88 | term_dontaudit_use_unallocated_ttys(dnsmasq_t) | |
89 | term_dontaudit_use_generic_ptys(dnsmasq_t) | |
90 | files_dontaudit_read_root_files(dnsmasq_t) | |
91 | ') | |
92 | ||
93 | optional_policy(` | |
94 | nis_use_ypbind(dnsmasq_t) | |
95 | ') | |
96 | ||
97 | optional_policy(` | |
98 | seutil_sigchld_newrole(dnsmasq_t) | |
99 | ') | |
100 | ||
101 | optional_policy(` | |
102 | udev_read_db(dnsmasq_t) | |
103 | ') |