#DESC dnsmasq - DNS forwarder and DHCP server
#
# Author: Greg Norris <haphazard@kc.rr.com>
# X-Debian-Packages: dnsmasq
#

#################################
#
# Rules for the dnsmasq_t domain.
#
daemon_domain(dnsmasq);
type dnsmasq_lease_t, file_type, sysadmfile;

# misc. requirements
allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
allow dnsmasq_t urandom_device_t:chr_file read;

# network-related goodies
can_network_server(dnsmasq_t)
can_ypbind(dnsmasq_t)
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;

# UDP ports 53 and 67
allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;

# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
# Comment out the following entry if you do not want to allow this behaviour.
allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;

# allow access to dnsmasq.conf
allow dnsmasq_t etc_t:file r_file_perms;

# dhcp leases
file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)