[selinux-policy: 618/3172] add dhcpd
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:58:04 UTC 2010
commit 7c8fc35b142595f4fccd36831a5e9838b17cac6b
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Sep 2 14:52:08 2005 +0000
add dhcpd
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/bind.if | 19 ++++
refpolicy/policy/modules/services/dhcpd.fc | 6 +
refpolicy/policy/modules/services/dhcpd.if | 20 ++++
refpolicy/policy/modules/services/dhcpd.te | 136 +++++++++++++++++++++++++
refpolicy/policy/modules/system/init.te | 6 +
refpolicy/policy/modules/system/sysnetwork.fc | 2 +
refpolicy/policy/modules/system/sysnetwork.if | 77 ++++++++++++++
8 files changed, 267 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 74107e3..6f9abaf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -3,6 +3,7 @@
- Added policies:
comsat
dbus
+ dhcpd
* Fri Aug 26 2005 Chris PeBenito <selinux at tresys.com> - 20050826
- Add Makefile support for building loadable modules.
diff --git a/refpolicy/policy/modules/services/bind.if b/refpolicy/policy/modules/services/bind.if
index 2b0f6b9..b9b181f 100644
--- a/refpolicy/policy/modules/services/bind.if
+++ b/refpolicy/policy/modules/services/bind.if
@@ -52,6 +52,25 @@ interface(`bind_run_ndc',`
########################################
## <summary>
+## Read DNSSEC keys.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+ gen_require(`
+ type named_conf_t, named_zone_t, dnssec_t;
+ class dir search;
+ class file { getattr read };
+ ')
+
+ allow $1 { named_conf_t named_zone_t }:dir search;
+ allow $1 dnssec_t:file { getattr read };
+')
+
+########################################
+## <summary>
## Read BIND named configuration files.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/dhcpd.fc b/refpolicy/policy/modules/services/dhcpd.fc
new file mode 100644
index 0000000..dd68495
--- /dev/null
+++ b/refpolicy/policy/modules/services/dhcpd.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/dhcpd.* -- context_template(system_u:object_r:dhcpd_exec_t,s0)
+
+/var/lib/dhcp(3)?/dhcpd\.leases.* -- context_template(system_u:object_r:dhcpd_state_t,s0)
+
+/var/run/dhcpd\.pid -d context_template(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dhcpd.if b/refpolicy/policy/modules/services/dhcpd.if
new file mode 100644
index 0000000..4a40fbc
--- /dev/null
+++ b/refpolicy/policy/modules/services/dhcpd.if
@@ -0,0 +1,20 @@
+## <summary>Dynamic host configuration protocol (DHCP) server</summary>
+
+########################################
+## <summary>
+## Set the attributes of the DCHP
+## server state files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`dhcpd_setattr_state_files',`
+ gen_require(`
+ type dhcpd_state_t;
+ class file setattr;
+ ')
+
+ sysnet_search_dhcp_state($1)
+ allow $1 dhcpd_state_t:file setattr;
+')
diff --git a/refpolicy/policy/modules/services/dhcpd.te b/refpolicy/policy/modules/services/dhcpd.te
new file mode 100644
index 0000000..9958d98
--- /dev/null
+++ b/refpolicy/policy/modules/services/dhcpd.te
@@ -0,0 +1,136 @@
+
+policy_module(dhcpd,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type dhcpd_t;
+type dhcpd_exec_t;
+init_daemon_domain(dhcpd_t,dhcpd_exec_t)
+
+type dhcpd_state_t;
+files_type(dhcpd_state_t)
+
+type dhcpd_tmp_t;
+files_tmp_file(dhcpd_tmp_t)
+
+type dhcpd_var_run_t;
+files_pid_file(dhcpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:fifo_file { read write getattr };
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow dhcpd_t self:tcp_socket create_stream_socket_perms;
+allow dhcpd_t self:udp_socket create_socket_perms;
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+can_exec(dhcpd_t,dhcpd_exec_t)
+
+allow dhcpd_t dhcpd_state_t:file create_file_perms;
+sysnet_create_dhcp_state(dhcpd_t,dhcpd_state_t)
+
+allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
+allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
+files_create_tmp_files(dhcpd_t, dhcpd_tmp_t, { file dir })
+
+allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
+files_create_pid(dhcpd_t,dhcpd_var_run_t)
+
+kernel_read_system_state(dhcpd_t)
+kernel_read_kernel_sysctl(dhcpd_t)
+
+corenet_tcp_sendrecv_all_if(dhcpd_t)
+corenet_udp_sendrecv_all_if(dhcpd_t)
+corenet_raw_sendrecv_all_if(dhcpd_t)
+corenet_tcp_sendrecv_all_nodes(dhcpd_t)
+corenet_udp_sendrecv_all_nodes(dhcpd_t)
+corenet_raw_sendrecv_all_nodes(dhcpd_t)
+corenet_tcp_sendrecv_all_ports(dhcpd_t)
+corenet_udp_sendrecv_all_ports(dhcpd_t)
+corenet_tcp_bind_all_nodes(dhcpd_t)
+corenet_udp_bind_all_nodes(dhcpd_t)
+corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_pxe_port(dhcpd_t)
+
+dev_read_sysfs(dhcpd_t)
+dev_read_rand(dhcpd_t)
+dev_read_urand(dhcpd_t)
+
+fs_getattr_all_fs(dhcpd_t)
+fs_search_auto_mountpoints(dhcpd_t)
+
+term_dontaudit_use_console(dhcpd_t)
+
+corecmd_exec_bin(dhcpd_t)
+corecmd_exec_sbin(dhcpd_t)
+
+domain_use_wide_inherit_fd(dhcpd_t)
+
+files_read_etc_files(dhcpd_t)
+files_read_usr_files(dhcpd_t)
+files_read_etc_runtime_files(dhcpd_t)
+files_search_var_lib(dhcpd_t)
+
+init_use_fd(dhcpd_t)
+init_use_script_pty(dhcpd_t)
+
+libs_use_ld_so(dhcpd_t)
+libs_use_shared_libs(dhcpd_t)
+
+logging_send_syslog_msg(dhcpd_t)
+
+miscfiles_read_localization(dhcpd_t)
+
+sysnet_read_config(dhcpd_t)
+sysnet_read_dhcp_config(dhcpd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(dhcpd_t)
+userdom_dontaudit_search_sysadm_home_dir(dhcpd_t)
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(dhcpd_t)
+ term_dontaudit_use_generic_pty(dhcpd_t)
+ files_dontaudit_read_root_file(dhcpd_t)
+')
+
+optional_policy(`bind.te',`
+ # used for dynamic DNS
+ bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(dhcpd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(dhcpd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(dhcpd_t)
+')
+
+optional_policy(`udev.te',`
+ udev_read_db(dhcpd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(dhcpd_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 8eba00e..c5d37a5 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -326,6 +326,12 @@ ifdef(`distro_debian', `
files_setattr_etc_dir(initrc_t)
')
+ifdef(`distro_gentoo',`
+ optional_policy(`dhcp.te',`
+ dhcpd_setattr_state_files(initrc_t)
+ ')
+')
+
ifdef(`distro_redhat',`
# this is from kmodule, which should get its own policy:
allow initrc_t self:capability sys_admin;
diff --git a/refpolicy/policy/modules/system/sysnetwork.fc b/refpolicy/policy/modules/system/sysnetwork.fc
index ff423c0..b3f389a 100644
--- a/refpolicy/policy/modules/system/sysnetwork.fc
+++ b/refpolicy/policy/modules/system/sysnetwork.fc
@@ -10,9 +10,11 @@
/etc/dhclient.*conf -- context_template(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- context_template(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpd\.conf -- context_template(system_u:object_r:dhcp_etc_t,s0)
/etc/resolv\.conf.* -- context_template(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- context_template(system_u:object_r:net_conf_t,s0)
+/etc/dhcp3(/.*)? context_template(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* context_template(system_u:object_r:dhcp_etc_t,s0)
#
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 7373da2..f0d486d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -268,3 +268,80 @@ interface(`sysnet_run_ifconfig',`
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Read the DHCP configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_read_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ class dir search;
+ class file { getattr read };
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:dir search;
+ allow $1 dhcp_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Search the DHCP state data directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`sysnet_search_dhcp_state',`
+ gen_require(`
+ type dhcp_state_t;
+ class dir search;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcp_state_t:dir search;
+')
+
+########################################
+## <summary>
+## Create DHCP state data.
+## </summary>
+## <desc>
+## <p>
+## Create DHCP state data.
+## </p>
+## <p>
+## This is added for DHCP server, as
+## the server and client put their state
+## files in the same directory.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="file_type">
+## The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+## The object class. If not specified, file is used.
+## </param>
+#
+interface(`sysnet_create_dhcp_state',`
+ gen_require(`
+ type dhcp_state_t;
+ class dir rw_dir_perms;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcp_state_t:dir rw_dir_perms;
+ ifelse(`$3',`',`
+ type_transition $1 dhcp_state_t:file $2;
+ ',`
+ type_transition $1 dhcp_state_t:$3 $2;
+ ')
+')
More information about the scm-commits
mailing list