platform_system_sepolicy/public/dnsmasq.te
Maciej Żenczykowski 4a865b3089 add dontaudit dnsmasq kernel:system module_request
This was originally added due to:
  avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
in wahoo specific selinux policy in commit cd761300c1cc67cb2be3e001b95317e8a865c5fe 'Allow some denials we have seen.'

This is most likely simply triggered by a race condition on attempting
to access a non existent network device 'bt-pan'.

While we've never seen this anywhere else, it could potentially happen
on any device so we might as well make this global...

Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I00f61a5fc2bfce604badf3b96f6ed808157eb78c
2020-01-18 18:22:12 -08:00

28 lines
1.2 KiB
Text

# DNS, DHCP services
type dnsmasq, domain;
type dnsmasq_exec, system_file_type, exec_type, file_type;
net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
# Inherit and use open files from netd.
allow dnsmasq netd:fd use;
allow dnsmasq netd:fifo_file { getattr read write };
# TODO: Investigate whether these inherited sockets should be closed on exec.
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
allow dnsmasq netd:netlink_nflog_socket { read write };
allow dnsmasq netd:netlink_route_socket { read write };
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
# sometimes a network device vanishes and we try to load module netdev-{devicename}
dontaudit dnsmasq kernel:system module_request;