45815c3e40
dnsmasq presently requires dac_override to create files under
/data/misc/dhcp. Until it can be changed to run with group dhcp,
allow dac_override.
Addresses denials such as:
avc: denied { dac_override } for pid=21166 comm="dnsmasq" capability=1 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability
Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
23 lines
852 B
Text
23 lines
852 B
Text
# DNS, DHCP services
|
|
type dnsmasq, domain;
|
|
permissive_or_unconfined(dnsmasq)
|
|
type dnsmasq_exec, exec_type, file_type;
|
|
|
|
net_domain(dnsmasq)
|
|
|
|
# TODO: Run with dhcp group to avoid need for dac_override.
|
|
allow dnsmasq self:capability dac_override;
|
|
|
|
allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
|
|
|
|
allow dnsmasq dhcp_data_file:dir w_dir_perms;
|
|
allow dnsmasq dhcp_data_file:file create_file_perms;
|
|
|
|
# Inherit and use open files from netd.
|
|
allow dnsmasq netd:fd use;
|
|
allow dnsmasq netd:fifo_file { read write };
|
|
# TODO: Investigate whether these inherited sockets should be closed on exec.
|
|
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
|
|
allow dnsmasq netd:netlink_nflog_socket { read write };
|
|
allow dnsmasq netd:netlink_route_socket { read write };
|
|
allow dnsmasq netd:unix_stream_socket { read write };
|