From c6a28f0cb2368922e199d6a46a20180881f50dc7 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:35 -0400
Subject: [PATCH] Make dnsmasq permissive or unconfined.

Also add rules from our policy.

Change-Id: I86f07f54c5120c511f9cab2877cf765c3ae7c1a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 dnsmasq.te | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/dnsmasq.te b/dnsmasq.te
index a5c647a7e..0e1658080 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,6 +1,12 @@
+# DNS, DHCP services
 type dnsmasq, domain;
+permissive_or_unconfined(dnsmasq)
 type dnsmasq_exec, exec_type, file_type;
 
-init_daemon_domain(dnsmasq)
-net_domain(dnsmasq)
-unconfined_domain(dnsmasq)
+allow dnsmasq self:capability { net_bind_service setgid setuid };
+allow dnsmasq self:tcp_socket create_socket_perms;
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+allow dnsmasq port:tcp_socket name_bind;
+allow dnsmasq node:tcp_socket node_bind;
-- 
GitLab