Chris PeBenito 0fbfa5
#DESC DHCPC - DHCP client
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
Chris PeBenito 0fbfa5
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: pump dhcp-client udhcpc
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the dhcpc_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP 
Chris PeBenito 0fbfa5
# network configurator daemon started by /etc/sysconfig/network-scripts 
Chris PeBenito 0fbfa5
# rc scripts, runs in this domain.
Chris PeBenito 0fbfa5
# dhcpc_exec_t is the type of the dhcpcd executable.
Chris PeBenito 0fbfa5
# The dhcpc_t can be used for other DHCPC related files as well.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type dhcpc_port_t, port_type, reserved_port_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
daemon_domain(dhcpc)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for SSP
Chris PeBenito 0fbfa5
allow dhcpc_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network(dhcpc_t)
Chris PeBenito 0fbfa5
can_ypbind(dhcpc_t)
Chris PeBenito 0fbfa5
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow dhcpc_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow dhcpc_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dhcpc_t devpts_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for localization
Chris PeBenito 0fbfa5
allow dhcpc_t lib_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`consoletype.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`nscd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`cardmgr.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
Chris PeBenito 0fbfa5
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
Chris PeBenito 0fbfa5
allow cardmgr_t dhcpc_t:process signal_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`hotplug.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
Chris PeBenito 0fbfa5
allow hotplug_t dhcpc_t:process signal_perms;
Chris PeBenito 0fbfa5
allow hotplug_t dhcpc_var_run_t:file { getattr read };
Chris PeBenito 0fbfa5
allow hotplug_t dhcp_etc_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow dhcpc_t hotplug_etc_t:dir { getattr search };
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
')dnl end hotplug.te
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for the dhcp client to run ping to check IP addresses
Chris PeBenito 0fbfa5
ifdef(`ping.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
Chris PeBenito 0fbfa5
ifdef(`hotplug.te', `
Chris PeBenito 0fbfa5
allow ping_t hotplug_t:fd use;
Chris PeBenito 0fbfa5
') dnl end if hotplug
Chris PeBenito 0fbfa5
ifdef(`cardmgr.te', `
Chris PeBenito 0fbfa5
allow ping_t cardmgr_t:fd use;
Chris PeBenito 0fbfa5
') dnl end if cardmgr
Chris PeBenito 0fbfa5
') dnl end if ping
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`dhcpd.te', `', `
Chris PeBenito 0fbfa5
type dhcp_state_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
type dhcp_etc_t, file_type, sysadmfile, usercanread; 
Chris PeBenito 0fbfa5
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
type dhcpc_state_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dhcpc_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0fbfa5
allow dhcpc_t proc_net_t:dir search;
Chris PeBenito 0fbfa5
allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
Chris PeBenito 0fbfa5
allow dhcpc_t self:file { getattr read };
Chris PeBenito 0fbfa5
read_sysctl(dhcpc_t)
Chris PeBenito 0fbfa5
allow dhcpc_t userdomain:fd use;
Chris PeBenito 0fbfa5
ifdef(`run_init.te', `
Chris PeBenito 0fbfa5
allow dhcpc_t run_init_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities
Chris PeBenito 0fbfa5
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for access("/etc/bashrc", X_OK) on Red Hat
Chris PeBenito 0fbfa5
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for udp port 68
Chris PeBenito 0fbfa5
allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
Chris PeBenito 0fbfa5
# in /etc created by dhcpcd will be labelled net_conf_t.
Chris PeBenito 0fbfa5
file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to the dhcpc file types
Chris PeBenito 0fbfa5
r_dir_file(dhcpc_t, dhcp_etc_t)
Chris PeBenito 0fbfa5
allow dhcpc_t sbin_t:dir search;
Chris PeBenito 0fbfa5
can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
can_exec(dhcpc_t, etc_t)
Chris PeBenito 0fbfa5
allow initrc_t dhcp_etc_t:file rw_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`ifconfig.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito 0fbfa5
')dnl end if def ifconfig
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(dhcpc)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow dhcpc_t to use packet sockets
Chris PeBenito 0fbfa5
allow dhcpc_t self:packet_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow dhcpc_t var_lib_t:dir search;
Chris PeBenito 0fbfa5
file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dhcpc_t bin_t:dir search;
Chris PeBenito 0fbfa5
allow dhcpc_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(dhcpc_t, { bin_t shell_exec_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`hostname.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file { read write };
Chris PeBenito 0fbfa5
allow dhcpc_t { userdomain kernel_t }:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dhcpc_t home_root_t:dir search;
Chris PeBenito 0fbfa5
allow initrc_t dhcpc_state_t:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit dhcpc_t var_lock_t:dir search;
Chris PeBenito 0fbfa5
dontaudit dhcpc_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
dontaudit dhcpc_t domain:dir getattr;
Chris PeBenito 0fbfa5
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# dhclient sometimes starts ypbind and ntdp
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
can_exec(dhcpc_t, initrc_exec_t)
Chris PeBenito 0fbfa5
ifdef(`ypbind.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`ntpd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
Chris PeBenito 0fbfa5
')