policy/modules/services/dnsmasq.te

   1
   2 policy_module(dnsmasq, 1.9.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type dnsmasq_t;
  10 type dnsmasq_exec_t;
  11 init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
  12
  13 type dnsmasq_initrc_exec_t;
  14 init_script_file(dnsmasq_initrc_exec_t)
  15
  16 type dnsmasq_etc_t;
  17 files_config_file(dnsmasq_etc_t)
  18
  19 type dnsmasq_lease_t;
  20 files_type(dnsmasq_lease_t)
  21
  22 type dnsmasq_var_log_t;
  23 logging_log_file(dnsmasq_var_log_t)
  24
  25 type dnsmasq_var_run_t;
  26 files_pid_file(dnsmasq_var_run_t)
  27
  28 ########################################
  29 #
  30 # Local policy
  31 #
  32
  33 allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
  34 dontaudit dnsmasq_t self:capability sys_tty_config;
  35 allow dnsmasq_t self:process { getcap setcap signal_perms };
  36 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
  37 allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
  38 allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
  39 allow dnsmasq_t self:udp_socket create_socket_perms;
  40 allow dnsmasq_t self:packet_socket create_socket_perms;
  41 allow dnsmasq_t self:rawip_socket create_socket_perms;
  42
  43 read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
  44
  45 # dhcp leases
  46 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
  47 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
  48
  49 manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
  50 logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
  51
  52 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
  53 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
  54
  55 kernel_read_kernel_sysctls(dnsmasq_t)
  56 kernel_read_system_state(dnsmasq_t)
  57
  58 corenet_all_recvfrom_unlabeled(dnsmasq_t)
  59 corenet_all_recvfrom_netlabel(dnsmasq_t)
  60 corenet_tcp_sendrecv_generic_if(dnsmasq_t)
  61 corenet_udp_sendrecv_generic_if(dnsmasq_t)
  62 corenet_raw_sendrecv_generic_if(dnsmasq_t)
  63 corenet_tcp_sendrecv_generic_node(dnsmasq_t)
  64 corenet_udp_sendrecv_generic_node(dnsmasq_t)
  65 corenet_raw_sendrecv_generic_node(dnsmasq_t)
  66 corenet_tcp_sendrecv_all_ports(dnsmasq_t)
  67 corenet_udp_sendrecv_all_ports(dnsmasq_t)
  68 corenet_tcp_bind_generic_node(dnsmasq_t)
  69 corenet_udp_bind_generic_node(dnsmasq_t)
  70 corenet_tcp_bind_dns_port(dnsmasq_t)
  71 corenet_udp_bind_all_ports(dnsmasq_t)
  72 corenet_sendrecv_dns_server_packets(dnsmasq_t)
  73 corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
  74
  75 dev_read_sysfs(dnsmasq_t)
  76 dev_read_urand(dnsmasq_t)
  77
  78 domain_use_interactive_fds(dnsmasq_t)
  79
  80 files_read_etc_files(dnsmasq_t)
  81 files_read_etc_runtime_files(dnsmasq_t)
  82
  83 fs_getattr_all_fs(dnsmasq_t)
  84 fs_search_auto_mountpoints(dnsmasq_t)
  85
  86 auth_use_nsswitch(dnsmasq_t)
  87
  88 logging_send_syslog_msg(dnsmasq_t)
  89
  90 miscfiles_read_localization(dnsmasq_t)
  91
  92 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  93 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  94
  95 optional_policy(`
  96         cobbler_read_lib_files(dnsmasq_t)
  97 ')
  98
  99 optional_policy(`
 100         dbus_system_bus_client(dnsmasq_t)
 101 ')
 102
 103 optional_policy(`
 104         seutil_sigchld_newrole(dnsmasq_t)
 105 ')
 106
 107 optional_policy(`
 108         tftp_read_content(dnsmasq_t)
 109 ')
 110
 111 optional_policy(`
 112         udev_read_db(dnsmasq_t)
 113 ')
 114
 115 optional_policy(`
 116         virt_manage_lib_files(dnsmasq_t)
 117         virt_read_pid_files(dnsmasq_t)
 118 ')