|
Chris PeBenito |
0fbfa5 |
#DESC DHCPC - DHCP client
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: pump dhcp-client udhcpc
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the dhcpc_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
|
|
Chris PeBenito |
0fbfa5 |
# network configurator daemon started by /etc/sysconfig/network-scripts
|
|
Chris PeBenito |
0fbfa5 |
# rc scripts, runs in this domain.
|
|
Chris PeBenito |
0fbfa5 |
# dhcpc_exec_t is the type of the dhcpcd executable.
|
|
Chris PeBenito |
0fbfa5 |
# The dhcpc_t can be used for other DHCPC related files as well.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type dhcpc_port_t, port_type, reserved_port_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(dhcpc)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for SSP
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t urandom_device_t:chr_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network(dhcpc_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(dhcpc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t devpts_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for localization
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t lib_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`consoletype.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`nscd.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`cardmgr.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow cardmgr_t dhcpc_t:process signal_perms;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`hotplug.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow hotplug_t dhcpc_t:process signal_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow hotplug_t dhcpc_var_run_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow hotplug_t dhcp_etc_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t hotplug_etc_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
')dnl end hotplug.te
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for the dhcp client to run ping to check IP addresses
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ping.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`hotplug.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t hotplug_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
') dnl end if hotplug
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`cardmgr.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t cardmgr_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
') dnl end if cardmgr
|
|
Chris PeBenito |
0fbfa5 |
') dnl end if ping
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`dhcpd.te', `', `
|
|
Chris PeBenito |
0fbfa5 |
type dhcp_state_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
type dhcp_etc_t, file_type, sysadmfile, usercanread;
|
|
Chris PeBenito |
0fbfa5 |
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
type dhcpc_state_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t etc_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t proc_net_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(dhcpc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t userdomain:fd use;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`run_init.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t run_init_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
Chris PeBenito |
0fbfa5 |
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for udp port 68
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
|
Chris PeBenito |
0fbfa5 |
# in /etc created by dhcpcd will be labelled net_conf_t.
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to the dhcpc file types
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(dhcpc_t, dhcp_etc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t sbin_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
0fbfa5 |
can_exec(dhcpc_t, etc_t)
|
|
Chris PeBenito |
0fbfa5 |
allow initrc_t dhcp_etc_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ifconfig.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
|
|
Chris PeBenito |
0fbfa5 |
')dnl end if def ifconfig
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(dhcpc)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow dhcpc_t to use packet sockets
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:packet_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t var_lib_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t bin_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t bin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
can_exec(dhcpc_t, { bin_t shell_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`hostname.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t { userdomain kernel_t }:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t home_root_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow initrc_t dhcpc_state_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit dhcpc_t var_lock_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit dhcpc_t selinux_config_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit dhcpc_t domain:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# dhclient sometimes starts ypbind and ntdp
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
can_exec(dhcpc_t, initrc_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ypbind.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ntpd.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|