From 27e1b5f5954aa5f4a71e673a8886c5a6326b68db Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sep 29 2012 08:30:50 +0000
Subject: Changes to the dnsmasq policy module and relevant dependencies


Ported from Fedora with changes.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---

diff --git a/dnsmasq.fc b/dnsmasq.fc
index b886676..1840808 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -1,12 +1,13 @@
-/etc/dnsmasq\.conf		--	gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+/etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
-/usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+/usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
-/var/log/dnsmasq\.log			gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
-/var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-/var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq\.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 9bd812b..8da726e 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -1,4 +1,4 @@
-## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+## <summary>DNS forwarder and DHCP server.</summary>
 
 ########################################
 ## <summary>
@@ -22,7 +22,8 @@ interface(`dnsmasq_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute the dnsmasq init script in the init script domain.
+##	Execute the dnsmasq init script in
+##	the init script domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -41,7 +42,7 @@ interface(`dnsmasq_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	Send dnsmasq a signal
+##	Send generic signals to dnsmasq.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -60,7 +61,7 @@ interface(`dnsmasq_signal',`
 
 ########################################
 ## <summary>
-##	Send dnsmasq a signull
+##	Send null signals to dnsmasq.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -79,7 +80,7 @@ interface(`dnsmasq_signull',`
 
 ########################################
 ## <summary>
-##	Send dnsmasq a kill signal.
+##	Send kill signals to dnsmasq.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -117,7 +118,7 @@ interface(`dnsmasq_read_config',`
 
 ########################################
 ## <summary>
-##	Write to dnsmasq config files.
+##	Write dnsmasq config files.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -136,7 +137,7 @@ interface(`dnsmasq_write_config',`
 
 ########################################
 ## <summary>
-##	Delete dnsmasq pid files
+##	Delete dnsmasq pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -155,7 +156,7 @@ interface(`dnsmasq_delete_pid_files',`
 
 ########################################
 ## <summary>
-##	Read dnsmasq pid files
+##	Read dnsmasq pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -174,8 +175,8 @@ interface(`dnsmasq_read_pid_files',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate
-##	an dnsmasq environment
+##	All of the rules required to
+##	administrate an dnsmasq environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -184,7 +185,7 @@ interface(`dnsmasq_read_pid_files',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the dnsmasq domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -192,7 +193,7 @@ interface(`dnsmasq_read_pid_files',`
 interface(`dnsmasq_admin',`
 	gen_require(`
 		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
-		type dnsmasq_initrc_exec_t;
+		type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
 	')
 
 	allow $1 dnsmasq_t:process { ptrace signal_perms };
@@ -206,6 +207,9 @@ interface(`dnsmasq_admin',`
 	files_list_var_lib($1)
 	admin_pattern($1, dnsmasq_lease_t)
 
+	logging_seearch_logs($1)
+	admin_pattern($1, dnsmasq_var_log_t)
+
 	files_list_pids($1)
 	admin_pattern($1, dnsmasq_var_run_t)
 ')
diff --git a/dnsmasq.te b/dnsmasq.te
index fdaeeba..aef646e 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.9.0)
+policy_module(dnsmasq, 1.9.1)
 
 ########################################
 #
@@ -33,26 +33,28 @@ allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net
 dontaudit dnsmasq_t self:capability sys_tty_config;
 allow dnsmasq_t self:process { getcap setcap signal_perms };
 allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
-allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
-allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
-allow dnsmasq_t self:udp_socket create_socket_perms;
+allow dnsmasq_t self:tcp_socket { accept listen };
 allow dnsmasq_t self:packet_socket create_socket_perms;
 allow dnsmasq_t self:rawip_socket create_socket_perms;
 
 read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
 
-# dhcp leases
 manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
 files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
 
-manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+allow dnsmasq_t dnsmasq_var_log_t:file append_file_perms;
+allow dnsmasq_t dnsmasq_var_log_t:file create_file_perms;
+allow dnsmasq_t dnsmasq_var_log_t:file setattr_file_perms;
 logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
 
+manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
 manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 
 kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
+kernel_request_load_module(dnsmasq_t)
 
 corenet_all_recvfrom_unlabeled(dnsmasq_t)
 corenet_all_recvfrom_netlabel(dnsmasq_t)
@@ -66,17 +68,17 @@ corenet_tcp_sendrecv_all_ports(dnsmasq_t)
 corenet_udp_sendrecv_all_ports(dnsmasq_t)
 corenet_tcp_bind_generic_node(dnsmasq_t)
 corenet_udp_bind_generic_node(dnsmasq_t)
-corenet_tcp_bind_dns_port(dnsmasq_t)
-corenet_udp_bind_all_ports(dnsmasq_t)
+
 corenet_sendrecv_dns_server_packets(dnsmasq_t)
+corenet_tcp_bind_dns_port(dnsmasq_t)
 corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
 
 dev_read_sysfs(dnsmasq_t)
 dev_read_urand(dnsmasq_t)
 
 domain_use_interactive_fds(dnsmasq_t)
 
-files_read_etc_files(dnsmasq_t)
 files_read_etc_runtime_files(dnsmasq_t)
 
 fs_getattr_all_fs(dnsmasq_t)
@@ -96,10 +98,19 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_connect_system_bus(dnsmasq_t)
 	dbus_system_bus_client(dnsmasq_t)
 ')
 
 optional_policy(`
+	networkmanager_read_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+	ppp_read_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dnsmasq_t)
 ')
 
@@ -114,4 +125,5 @@ optional_policy(`
 optional_policy(`
 	virt_manage_lib_files(dnsmasq_t)
 	virt_read_pid_files(dnsmasq_t)
+	virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
 ')
diff --git a/virt.if b/virt.if
index d50f826..8879895 100644
--- a/virt.if
+++ b/virt.if
@@ -348,6 +348,42 @@ interface(`virt_manage_lib_files',`
 
 ########################################
 ## <summary>
+##	Create objects in virt pid
+##	directories with a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`virt_pid_filetrans',`
+	gen_require(`
+		type virt_var_run_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read virt's log files.
 ## </summary>
 ## <param name="domain">
diff --git a/virt.te b/virt.te
index 53428f9..a3aa08e 100644
--- a/virt.te
+++ b/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.5.2)
+policy_module(virt, 1.5.3)
 
 ########################################
 #