dnsmasq patch from Dan Walsh

- cron_manage_pid_files call removed until further explanation

diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 21089cada6d3dd5e18b9ea339862ee81e83f545e..b886676601ec584b5f4e266ae7fa2c45d8117746 100644 (file)
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -6,5 +6,7 @@
 /var/lib/misc/dnsmasq\.leases  --      gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/lib/dnsmasq(/.*)?                 gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
+/var/log/dnsmasq\.log                  gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
 /var/run/dnsmasq\.pid          --      gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 /var/run/libvirt/network(/.*)?         gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 5681e658903a00c278f64e9e12fd0e0ea6ea9add..a5c426b17646079250ee88c812c2b885e1818add 100644 (file)
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -111,7 +111,7 @@ interface(`dnsmasq_read_config',`
                type dnsmasq_etc_t;
        ')
 
-       allow $1 dnsmasq_etc_t:file read_file_perms;
+       read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
        files_search_etc($1)
 ')
 
@@ -130,7 +130,7 @@ interface(`dnsmasq_write_config',`
                type dnsmasq_etc_t;
        ')
 
-       allow $1 dnsmasq_etc_t:file write_file_perms;
+       write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
        files_search_etc($1)
 ')
 
@@ -174,7 +174,7 @@ interface(`dnsmasq_read_pid_files',`
 
 ########################################
 ## <summary>
-##     All of the rules required to administrate 
+##     All of the rules required to administrate
 ##     an dnsmasq environment
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 2865f045eca07a8f80c7647ab73fcfc8ce03ed1c..c8fb14d76a1906d5c6208755c0df962f22ae3dfe 100644 (file)
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -19,6 +19,9 @@ files_config_file(dnsmasq_etc_t)
 type dnsmasq_lease_t;
 files_type(dnsmasq_lease_t)
 
+type dnsmasq_var_log_t;
+logging_log_file(dnsmasq_var_log_t)
+
 type dnsmasq_var_run_t;
 files_pid_file(dnsmasq_var_run_t)
 
@@ -27,7 +30,7 @@ files_pid_file(dnsmasq_var_run_t)
 # Local policy
 #
 
-allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
+allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
 dontaudit dnsmasq_t self:capability sys_tty_config;
 allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -37,12 +40,15 @@ allow dnsmasq_t self:udp_socket create_socket_perms;
 allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
-allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
+read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
 
 # dhcp leases
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
 
+manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
 
@@ -86,6 +92,14 @@ miscfiles_read_localization(dnsmasq_t)
 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
 
+optional_policy(`
+       cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
+       dbus_system_bus_client(dnsmasq_t)
+')
+
 optional_policy(`
        seutil_sigchld_newrole(dnsmasq_t)
 ')