39 lines
1.2 KiB
Plaintext
39 lines
1.2 KiB
Plaintext
#DESC dnsmasq - DNS forwarder and DHCP server
|
|
#
|
|
# Author: Greg Norris <haphazard@kc.rr.com>
|
|
# X-Debian-Packages: dnsmasq
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the dnsmasq_t domain.
|
|
#
|
|
daemon_domain(dnsmasq);
|
|
type dnsmasq_lease_t, file_type, sysadmfile;
|
|
|
|
# misc. requirements
|
|
allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
|
|
allow dnsmasq_t urandom_device_t:chr_file read;
|
|
|
|
# network-related goodies
|
|
can_network_server(dnsmasq_t)
|
|
can_ypbind(dnsmasq_t)
|
|
allow dnsmasq_t self:packet_socket create_socket_perms;
|
|
allow dnsmasq_t self:rawip_socket create_socket_perms;
|
|
allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
|
|
allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
# UDP ports 53 and 67
|
|
allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
|
|
allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;
|
|
|
|
# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
|
|
# Comment out the following entry if you do not want to allow this behaviour.
|
|
allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;
|
|
|
|
# allow access to dnsmasq.conf
|
|
allow dnsmasq_t etc_t:file r_file_perms;
|
|
|
|
# dhcp leases
|
|
file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)
|