[selinux-policy: 2686/3172] dnsmasq patch from Dan Walsh - cron_manage_pid_files call removed until further explanation

Thu Oct 7 22:58:51 UTC 2010

commit 37194ac0559b5e59ae3d32b947bac2afee79bc83
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Fri May 21 17:02:24 2010 -0400

    dnsmasq patch from Dan Walsh
    - cron_manage_pid_files call removed until further explanation

 policy/modules/services/dnsmasq.fc |    2 ++
 policy/modules/services/dnsmasq.if |    6 +++---
 policy/modules/services/dnsmasq.te |   18 ++++++++++++++++--
 3 files changed, 21 insertions(+), 5 deletions(-)
---

diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 21089ca..b886676 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -6,5 +6,7 @@
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
+/var/log/dnsmasq\.log			gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
 /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 /var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 5681e65..a5c426b 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -111,7 +111,7 @@ interface(`dnsmasq_read_config',`
 		type dnsmasq_etc_t;
 	')
 
-	allow $1 dnsmasq_etc_t:file read_file_perms;
+	read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
 	files_search_etc($1)
 ')
 
@@ -130,7 +130,7 @@ interface(`dnsmasq_write_config',`
 		type dnsmasq_etc_t;
 	')
 
-	allow $1 dnsmasq_etc_t:file write_file_perms;
+	write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
 	files_search_etc($1)
 ')
 
@@ -174,7 +174,7 @@ interface(`dnsmasq_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an dnsmasq environment
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 2865f04..c8fb14d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -19,6 +19,9 @@ files_config_file(dnsmasq_etc_t)
 type dnsmasq_lease_t;
 files_type(dnsmasq_lease_t)
 
+type dnsmasq_var_log_t;
+logging_log_file(dnsmasq_var_log_t)
+
 type dnsmasq_var_run_t;
 files_pid_file(dnsmasq_var_run_t)
 
@@ -27,7 +30,7 @@ files_pid_file(dnsmasq_var_run_t)
 # Local policy
 #
 
-allow dnsmasq_t self:capability { net_admin setgid setuid net_bind_service net_raw };
+allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
 dontaudit dnsmasq_t self:capability sys_tty_config;
 allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -37,12 +40,15 @@ allow dnsmasq_t self:udp_socket create_socket_perms;
 allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
-allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
+read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
 
 # dhcp leases
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
 
+manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
 
@@ -87,6 +93,14 @@ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
 userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
 
 optional_policy(`
+	cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dnsmasq_t)
 ')
 
