[selinux-policy: 618/3172] add dhcpd

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:58:04 UTC 2010 

commit 7c8fc35b142595f4fccd36831a5e9838b17cac6b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Sep 2 14:52:08 2005 +0000

    add dhcpd

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/services/bind.if     |   19 ++++
 refpolicy/policy/modules/services/dhcpd.fc    |    6 +
 refpolicy/policy/modules/services/dhcpd.if    |   20 ++++
 refpolicy/policy/modules/services/dhcpd.te    |  136 +++++++++++++++++++++++++
 refpolicy/policy/modules/system/init.te       |    6 +
 refpolicy/policy/modules/system/sysnetwork.fc |    2 +
 refpolicy/policy/modules/system/sysnetwork.if |   77 ++++++++++++++
 8 files changed, 267 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 74107e3..6f9abaf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -3,6 +3,7 @@
 - Added policies:
 	comsat
 	dbus
+	dhcpd
 
 * Fri Aug 26 2005 Chris PeBenito <selinux at tresys.com> - 20050826
 - Add Makefile support for building loadable modules.
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index 2b0f6b9..b9b181f 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -52,6 +52,25 @@ interface(`bind_run_ndc',`
 
 ########################################
 ## <summary>
+##	Read DNSSEC keys.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+	gen_require(`
+		type named_conf_t, named_zone_t, dnssec_t;
+		class dir search;
+		class file { getattr read };
+	')
+
+	allow $1 { named_conf_t named_zone_t }:dir search;
+	allow $1 dnssec_t:file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Read BIND named configuration files.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/dhcpd.fc b/refpolicy/policy/modules/services/dhcpd.fc
new file mode 100644
index 0000000..dd68495
--- /dev/null
+++ b/refpolicy/policy/modules/services/dhcpd.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/dhcpd.*		--	context_template(system_u:object_r:dhcpd_exec_t,s0)
+
+/var/lib/dhcp(3)?/dhcpd\.leases.* --	context_template(system_u:object_r:dhcpd_state_t,s0)
+
+/var/run/dhcpd\.pid		-d	context_template(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dhcpd.if b/refpolicy/policy/modules/services/dhcpd.if
new file mode 100644
index 0000000..4a40fbc
--- /dev/null
+++ b/refpolicy/policy/modules/services/dhcpd.if
@@ -0,0 +1,20 @@
+## <summary>Dynamic host configuration protocol (DHCP) server</summary>
+
+########################################
+## <summary>
+##	Set the attributes of the DCHP
+##	server state files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dhcpd_setattr_state_files',`
+	gen_require(`
+		type dhcpd_state_t;
+		class file setattr;
+	')
+
+	sysnet_search_dhcp_state($1)
+	allow $1 dhcpd_state_t:file setattr;
+')
diff --git a/refpolicy/policy/modules/services/dhcpd.te b/refpolicy/policy/modules/services/dhcpd.te
new file mode 100644
index 0000000..9958d98
--- /dev/null
+++ b/refpolicy/policy/modules/services/dhcpd.te
@@ -0,0 +1,136 @@
+
+policy_module(dhcpd,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type dhcpd_t;
+type dhcpd_exec_t;
+init_daemon_domain(dhcpd_t,dhcpd_exec_t)
+
+type dhcpd_state_t;
+files_type(dhcpd_state_t)
+
+type dhcpd_tmp_t;
+files_tmp_file(dhcpd_tmp_t)
+
+type dhcpd_var_run_t;
+files_pid_file(dhcpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:fifo_file { read write getattr };
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow dhcpd_t self:tcp_socket create_stream_socket_perms;
+allow dhcpd_t self:udp_socket create_socket_perms;
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+can_exec(dhcpd_t,dhcpd_exec_t)
+
+allow dhcpd_t dhcpd_state_t:file create_file_perms;
+sysnet_create_dhcp_state(dhcpd_t,dhcpd_state_t)
+
+allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
+allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
+files_create_tmp_files(dhcpd_t, dhcpd_tmp_t, { file dir })
+
+allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
+files_create_pid(dhcpd_t,dhcpd_var_run_t)
+
+kernel_read_system_state(dhcpd_t)
+kernel_read_kernel_sysctl(dhcpd_t)
+
+corenet_tcp_sendrecv_all_if(dhcpd_t)
+corenet_udp_sendrecv_all_if(dhcpd_t)
+corenet_raw_sendrecv_all_if(dhcpd_t)
+corenet_tcp_sendrecv_all_nodes(dhcpd_t)
+corenet_udp_sendrecv_all_nodes(dhcpd_t)
+corenet_raw_sendrecv_all_nodes(dhcpd_t)
+corenet_tcp_sendrecv_all_ports(dhcpd_t)
+corenet_udp_sendrecv_all_ports(dhcpd_t)
+corenet_tcp_bind_all_nodes(dhcpd_t)
+corenet_udp_bind_all_nodes(dhcpd_t)
+corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_pxe_port(dhcpd_t)
+
+dev_read_sysfs(dhcpd_t)
+dev_read_rand(dhcpd_t)
+dev_read_urand(dhcpd_t)
+
+fs_getattr_all_fs(dhcpd_t)
+fs_search_auto_mountpoints(dhcpd_t)
+
+term_dontaudit_use_console(dhcpd_t)
+
+corecmd_exec_bin(dhcpd_t)
+corecmd_exec_sbin(dhcpd_t)
+
+domain_use_wide_inherit_fd(dhcpd_t)
+
+files_read_etc_files(dhcpd_t)
+files_read_usr_files(dhcpd_t)
+files_read_etc_runtime_files(dhcpd_t)
+files_search_var_lib(dhcpd_t)
+
+init_use_fd(dhcpd_t)
+init_use_script_pty(dhcpd_t)
+
+libs_use_ld_so(dhcpd_t)
+libs_use_shared_libs(dhcpd_t)
+
+logging_send_syslog_msg(dhcpd_t)
+
+miscfiles_read_localization(dhcpd_t)
+
+sysnet_read_config(dhcpd_t)
+sysnet_read_dhcp_config(dhcpd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(dhcpd_t)
+userdom_dontaudit_search_sysadm_home_dir(dhcpd_t)
+
+ifdef(`distro_gentoo',`
+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(dhcpd_t)
+	term_dontaudit_use_generic_pty(dhcpd_t)
+	files_dontaudit_read_root_file(dhcpd_t)
+')
+
+optional_policy(`bind.te',`
+	# used for dynamic DNS
+	bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(dhcpd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(dhcpd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(dhcpd_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(dhcpd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(dhcpd_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 8eba00e..c5d37a5 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -326,6 +326,12 @@ ifdef(`distro_debian', `
 	files_setattr_etc_dir(initrc_t)
 ')
 
+ifdef(`distro_gentoo',`
+	optional_policy(`dhcp.te',`
+		dhcpd_setattr_state_files(initrc_t)
+	')
+')
+
 ifdef(`distro_redhat',`
 	# this is from kmodule, which should get its own policy:
 	allow initrc_t self:capability sys_admin;
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index ff423c0..b3f389a 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -10,9 +10,11 @@
 /etc/dhclient.*conf	--	context_template(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhclient-script	--	context_template(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpc.*			context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpd\.conf	--	context_template(system_u:object_r:dhcp_etc_t,s0)
 /etc/resolv\.conf.*	--	context_template(system_u:object_r:net_conf_t,s0)
 /etc/yp\.conf.*		--	context_template(system_u:object_r:net_conf_t,s0)
 
+/etc/dhcp3(/.*)?		context_template(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcp3?/dhclient.*		context_template(system_u:object_r:dhcp_etc_t,s0)
 
 #
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 7373da2..f0d486d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -268,3 +268,80 @@ interface(`sysnet_run_ifconfig',`
 	role $2 types ifconfig_t;
 	allow ifconfig_t $3:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	Read the DHCP configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_read_dhcp_config',`
+	gen_require(`
+		type dhcp_etc_t;
+		class dir search;
+		class file { getattr read };
+	')
+
+	files_search_etc($1)
+	allow $1 dhcp_etc_t:dir search;
+	allow $1 dhcp_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Search the DHCP state data directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sysnet_search_dhcp_state',`
+	gen_require(`
+		type dhcp_state_t;
+		class dir search;
+	')
+
+	files_search_var_lib($1)
+	allow $1 dhcp_state_t:dir search;
+')
+
+########################################
+## <summary>
+##	Create DHCP state data.
+## </summary>
+## <desc>
+##	<p>
+##	Create DHCP state data.
+##	</p>
+##	<p>
+##	This is added for DHCP server, as
+##	the server and client put their state
+##	files in the same directory.
+##	</p>
+## </desc>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="file_type">
+##	The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+##	The object class.  If not specified, file is used.
+## </param>
+#
+interface(`sysnet_create_dhcp_state',`
+	gen_require(`
+		type dhcp_state_t;
+		class dir rw_dir_perms;
+	')
+
+	files_search_var_lib($1)
+	allow $1 dhcp_state_t:dir rw_dir_perms;
+	ifelse(`$3',`',`
+		type_transition $1 dhcp_state_t:file $2;
+	',`
+		type_transition $1 dhcp_state_t:$3 $2;
+	')
+')

More information about the scm-commits mailing list