Chris PeBenito 31b7c0
#DESC dnsmasq - DNS forwarder and DHCP server
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Greg Norris <haphazard@kc.rr.com>
Chris PeBenito 31b7c0
# X-Debian-Packages: dnsmasq
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the dnsmasq_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
daemon_domain(dnsmasq);
Chris PeBenito 31b7c0
type dnsmasq_lease_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# misc. requirements
Chris PeBenito 31b7c0
allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
Chris PeBenito 31b7c0
allow dnsmasq_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# network-related goodies
Chris PeBenito 31b7c0
can_network_server(dnsmasq_t)
Chris PeBenito 31b7c0
can_ypbind(dnsmasq_t)
Chris PeBenito 31b7c0
allow dnsmasq_t self:packet_socket create_socket_perms;
Chris PeBenito 31b7c0
allow dnsmasq_t self:rawip_socket create_socket_perms;
Chris PeBenito 31b7c0
allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# UDP ports 53 and 67
Chris PeBenito 31b7c0
allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
Chris PeBenito 31b7c0
allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
Chris PeBenito 31b7c0
# Comment out the following entry if you do not want to allow this behaviour.
Chris PeBenito 31b7c0
allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# allow access to dnsmasq.conf
Chris PeBenito 31b7c0
allow dnsmasq_t etc_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# dhcp leases
Chris PeBenito 31b7c0
file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)