[people/stevee/selinux-policy.git] / refpolicy / policy / modules / services / dnsmasq.te


policy_module(dnsmasq,1.0.0)

########################################
#
# Declarations
#

type dnsmasq_t;
type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)

type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)

type dnsmasq_var_run_t;
files_pid_file(dnsmasq_var_run_t)

########################################
#
# Local policy
#

allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process signal_perms;
allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
allow dnsmasq_t self:udp_socket create_socket_perms;
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;

# dhcp leases
allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)

allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms;
allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms;
files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)

kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)

corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
corenet_udp_sendrecv_all_nodes(dnsmasq_t)
corenet_raw_sendrecv_all_nodes(dnsmasq_t)
corenet_tcp_sendrecv_all_ports(dnsmasq_t)
corenet_udp_sendrecv_all_ports(dnsmasq_t)
corenet_non_ipsec_sendrecv(dnsmasq_t)
corenet_tcp_bind_all_nodes(dnsmasq_t)
corenet_udp_bind_all_nodes(dnsmasq_t)
corenet_tcp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dhcpd_port(dnsmasq_t)

dev_read_sysfs(dnsmasq_t)
dev_read_urand(dnsmasq_t)

domain_use_interactive_fds(dnsmasq_t)

# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)

fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)

term_dontaudit_use_console(dnsmasq_t)

init_use_fds(dnsmasq_t)
init_use_script_ptys(dnsmasq_t)

libs_use_ld_so(dnsmasq_t)
libs_use_shared_libs(dnsmasq_t)

logging_send_syslog_msg(dnsmasq_t)

miscfiles_read_localization(dnsmasq_t)

sysnet_read_config(dnsmasq_t)

userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(dnsmasq_t)
	term_dontaudit_use_generic_ptys(dnsmasq_t)
	files_dontaudit_read_root_files(dnsmasq_t)
')

optional_policy(`
	nis_use_ypbind(dnsmasq_t)
')

optional_policy(`
	seutil_sigchld_newrole(dnsmasq_t)
')

optional_policy(`
	udev_read_db(dnsmasq_t)
')
Commit	Line	Data
9e725d8a CP	1
	2	policy_module(dnsmasq,1.0.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dnsmasq_t;
	10	type dnsmasq_exec_t;
	11	init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
	12
	13	type dnsmasq_lease_t;
	14	files_type(dnsmasq_lease_t)
	15
	16	type dnsmasq_var_run_t;
	17	files_pid_file(dnsmasq_var_run_t)
	18
	19	########################################
	20	#
	21	# Local policy
	22	#
	23
	24	allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
	25	dontaudit dnsmasq_t self:capability sys_tty_config;
	26	allow dnsmasq_t self:process signal_perms;
	27	allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
	28	allow dnsmasq_t self:udp_socket create_socket_perms;
	29	allow dnsmasq_t self:packet_socket create_socket_perms;
	30	allow dnsmasq_t self:rawip_socket create_socket_perms;
	31
	32	# dhcp leases
	33	allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
	34	files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
	35
	36	allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms;
	37	allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms;
	38	files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
	39
	40	kernel_read_kernel_sysctls(dnsmasq_t)
	41	kernel_list_proc(dnsmasq_t)
	42	kernel_read_proc_symlinks(dnsmasq_t)
	43
	44	corenet_tcp_sendrecv_generic_if(dnsmasq_t)
	45	corenet_udp_sendrecv_generic_if(dnsmasq_t)
	46	corenet_raw_sendrecv_generic_if(dnsmasq_t)
	47	corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
	48	corenet_udp_sendrecv_all_nodes(dnsmasq_t)
	49	corenet_raw_sendrecv_all_nodes(dnsmasq_t)
	50	corenet_tcp_sendrecv_all_ports(dnsmasq_t)
	51	corenet_udp_sendrecv_all_ports(dnsmasq_t)
	52	corenet_non_ipsec_sendrecv(dnsmasq_t)
	53	corenet_tcp_bind_all_nodes(dnsmasq_t)
	54	corenet_udp_bind_all_nodes(dnsmasq_t)
	55	corenet_tcp_bind_dns_port(dnsmasq_t)
	56	corenet_udp_bind_dns_port(dnsmasq_t)
	57	corenet_udp_bind_dhcpd_port(dnsmasq_t)
	58
	59	dev_read_sysfs(dnsmasq_t)
	60	dev_read_urand(dnsmasq_t)
	61
	62	domain_use_interactive_fds(dnsmasq_t)
	63
	64	# allow access to dnsmasq.conf
65	files_read_etc_files(dnsmasq_t)
66
67	fs_getattr_all_fs(dnsmasq_t)
68	fs_search_auto_mountpoints(dnsmasq_t)
69
70	term_dontaudit_use_console(dnsmasq_t)
71
72	init_use_fds(dnsmasq_t)
73	init_use_script_ptys(dnsmasq_t)
74
75	libs_use_ld_so(dnsmasq_t)
76	libs_use_shared_libs(dnsmasq_t)
77
78	logging_send_syslog_msg(dnsmasq_t)
79
80	miscfiles_read_localization(dnsmasq_t)
81
82	sysnet_read_config(dnsmasq_t)
83
84	userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
85	userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
86
87	ifdef(`targeted_policy',`
88	term_dontaudit_use_unallocated_ttys(dnsmasq_t)
89	term_dontaudit_use_generic_ptys(dnsmasq_t)
90	files_dontaudit_read_root_files(dnsmasq_t)
91	')
92
93	optional_policy(`
94	nis_use_ypbind(dnsmasq_t)
95	')
96
97	optional_policy(`
98	seutil_sigchld_newrole(dnsmasq_t)
99	')
100
101	optional_policy(`
102	udev_read_db(dnsmasq_t)
103	')