[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Jason Zaman]

Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
filetrans rule.

$ start-pulseaudio-x11
W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
E: [pulseaudio] main.c: Failed to acquire autospawn lock
---
 pulseaudio.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pulseaudio.te b/pulseaudio.te
index 4665af2..648de3a 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
 files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
 userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
 userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
 userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
-- 
2.0.5

[refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd

[Jason Zaman]

---
 snmp.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/snmp.fc b/snmp.fc
index 2f0a2f2..d3db67a 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,5 +1,6 @@
 /etc/rc\.d/init\.d/(snmpd|snmptrapd)	--	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
 
+/usr/sbin/snmpd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
 /usr/sbin/snmptrap	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
 /usr/sbin/snmptrapd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
 
-- 
2.0.5

[refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts

[Jason Zaman]

dnsmasq has the --dhcp-script= option to execute scripts when leases are
given. dnsmasq needs to have shell access to run these.
---
 dnsmasq.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dnsmasq.te b/dnsmasq.te
index e2f8300..b3caf80 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t)
 kernel_read_system_state(dnsmasq_t)
 kernel_request_load_module(dnsmasq_t)
 
+corecmd_exec_shell(dnsmasq_t)
+
 corenet_all_recvfrom_unlabeled(dnsmasq_t)
 corenet_all_recvfrom_netlabel(dnsmasq_t)
 corenet_tcp_sendrecv_generic_if(dnsmasq_t)
-- 
2.0.5

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Sven Vermeulen]

Doesn't the files_tmp_filetrans for the directory class already ensure that
the /tmp/pulse-* directory is of the right type?
On Apr 13, 2015 6:01 PM, "Jason Zaman" <jason@perfinion.com> wrote:

> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
> filetrans rule.
>
> $ start-pulseaudio-x11
> W: [autospawn] core-util.c: Failed to create lock file
> '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> E: [pulseaudio] main.c: Failed to acquire autospawn lock
> ---
>  pulseaudio.te | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..648de3a 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t)
>  manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
>  manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> pulseaudio_tmp_t)
>  files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> "autospawn.lock")
>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> "dbus-socket")
>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> "native")
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/46dd2c11/attachment-0001.html 

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Dominick Grift]

On Mon, Apr 13, 2015 at 07:31:55PM +0200, Sven Vermeulen wrote:
> Doesn't the files_tmp_filetrans for the directory class already ensure that
> the /tmp/pulse-* directory is of the right type?

Good point. Not everything ends up in that directory though, but i would like to know where does that file exactly end up?

> On Apr 13, 2015 6:01 PM, "Jason Zaman" <jason@perfinion.com> wrote:
> 
> > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
> > filetrans rule.
> >
> > $ start-pulseaudio-x11
> > W: [autospawn] core-util.c: Failed to create lock file
> > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> > E: [pulseaudio] main.c: Failed to acquire autospawn lock
> > ---
> >  pulseaudio.te | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/pulseaudio.te b/pulseaudio.te
> > index 4665af2..648de3a 100644
> > --- a/pulseaudio.te
> > +++ b/pulseaudio.te
> > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t)
> >  manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
> >  manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> > pulseaudio_tmp_t)
> >  files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> > "autospawn.lock")
> >  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
> >  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> > "dbus-socket")
> >  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
> > "native")
> > --
> > 2.0.5
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/4cf41bff/attachment.bin 

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Sven Vermeulen]

Meh my mistake. The directory is written by pulseaudio client applications
and get the user_tmp_t type. Sorry for the noise.

Wkr,
  Sven  Vermeulen
On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <sven.vermeulen@siphos.be> wrote:

> Doesn't the files_tmp_filetrans for the directory class already ensure
> that the /tmp/pulse-* directory is of the right type?
> On Apr 13, 2015 6:01 PM, "Jason Zaman" <jason@perfinion.com> wrote:
>
>> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
>> filetrans rule.
>>
>> $ start-pulseaudio-x11
>> W: [autospawn] core-util.c: Failed to create lock file
>> '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
>> E: [pulseaudio] main.c: Failed to acquire autospawn lock
>> ---
>>  pulseaudio.te | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/pulseaudio.te b/pulseaudio.te
>> index 4665af2..648de3a 100644
>> --- a/pulseaudio.te
>> +++ b/pulseaudio.te
>> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t,
>> pulseaudio_tmp_t)
>>  manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
>>  manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
>> pulseaudio_tmp_t)
>>  files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
>> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
>> "autospawn.lock")
>>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
>>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
>> "dbus-socket")
>>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file,
>> "native")
>> --
>> 2.0.5
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/050f7d7b/attachment.html 

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Jason Zaman]

On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote:
>    Meh my mistake. The directory is written by pulseaudio client
>    applications and get the user_tmp_t type. Sorry for the noise.

for the record:
$ ls -alZ /tmp/pulse-PKdhtXMmr18n/
total 4
drwx------.  2 jason users staff_u:object_r:user_tmp_t        80 Apr 13 21:51 ./
drwxrwxrwt. 14 root  root  system_u:object_r:tmp_t           440 Apr 13 21:53 ../
srwxrwxrwx.  1 jason users staff_u:object_r:pulseaudio_tmp_t   0 Apr 13 21:51 native=
-rw-------.  1 jason users staff_u:object_r:pulseaudio_tmp_t   6 Apr 13 21:51 pid

autolock.spawn goes away right after the server is spawned, its only
there for a short time. Also, the dir does not *have* to be user_tmp_t.
The first program that wants sound will start up pulse (usually its
gsettings or equivalent tho). eg if you dont have pulse running and
start youtube you might get /tmp/pulse-* being mozilla_tmp_t.

-- Jason

>    Wkr,
>    ?  Sven?  Vermeulen
> 
>    On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1]sven.vermeulen@siphos.be>
>    wrote:
> 
>      Doesn't the files_tmp_filetrans for the directory class already
>      ensure that the /tmp/pulse-* directory is of the right type?
> 
>    On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2]jason@perfinion.com> wrote:
> 
>      Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds
>      the
>      filetrans rule.
>      $ start-pulseaudio-x11
>      W: [autospawn] core-util.c: Failed to create lock file
>      '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
>      E: [pulseaudio] main.c: Failed to acquire autospawn lock
>      ---
>      ? pulseaudio.te | 1 +
>      ? 1 file changed, 1 insertion(+)
>      diff --git a/pulseaudio.te b/pulseaudio.te
>      index 4665af2..648de3a 100644
>      --- a/pulseaudio.te
>      +++ b/pulseaudio.te
>      @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t,
>      pulseaudio_tmp_t, pulseaudio_tmp_t)
>      ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
>      pulseaudio_tmp_t)
>      ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
>      pulseaudio_tmp_t)
>      ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
>      +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
>      "autospawn.lock")
>      ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
>      "pid")
>      ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
>      sock_file, "dbus-socket")
>      ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
>      sock_file, "native")
>      --
>      2.0.5
>      _______________________________________________
>      refpolicy mailing list
>      [3]refpolicy at oss.tresys.com
>      [4]http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> References
> 
>    1. mailto:sven.vermeulen at siphos.be
>    2. mailto:jason at perfinion.com
>    3. mailto:refpolicy at oss.tresys.com
>    4. http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Dominick Grift]

On Mon, Apr 13, 2015 at 10:02:30PM +0400, Jason Zaman wrote:
> On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote:
> >    Meh my mistake. The directory is written by pulseaudio client
> >    applications and get the user_tmp_t type. Sorry for the noise.
> 
> for the record:
> $ ls -alZ /tmp/pulse-PKdhtXMmr18n/
> total 4
> drwx------.  2 jason users staff_u:object_r:user_tmp_t        80 Apr 13 21:51 ./
> drwxrwxrwt. 14 root  root  system_u:object_r:tmp_t           440 Apr 13 21:53 ../
> srwxrwxrwx.  1 jason users staff_u:object_r:pulseaudio_tmp_t   0 Apr 13 21:51 native=
> -rw-------.  1 jason users staff_u:object_r:pulseaudio_tmp_t   6 Apr 13 21:51 pid
> 
> autolock.spawn goes away right after the server is spawned, its only
> there for a short time. Also, the dir does not *have* to be user_tmp_t.
> The first program that wants sound will start up pulse (usually its
> gsettings or equivalent tho). eg if you dont have pulse running and
> start youtube you might get /tmp/pulse-* being mozilla_tmp_t.
> 


Yes its fragile, no doubt.

Move it to XDG_RUNTIME_DIR, which allows you to get rid of the random suffix , then implement a name-based tt for "pulse" dir there


> -- Jason
> 
> >    Wkr,
> >    ?  Sven?  Vermeulen
> > 
> >    On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1]sven.vermeulen@siphos.be>
> >    wrote:
> > 
> >      Doesn't the files_tmp_filetrans for the directory class already
> >      ensure that the /tmp/pulse-* directory is of the right type?
> > 
> >    On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2]jason@perfinion.com> wrote:
> > 
> >      Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds
> >      the
> >      filetrans rule.
> >      $ start-pulseaudio-x11
> >      W: [autospawn] core-util.c: Failed to create lock file
> >      '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> >      E: [pulseaudio] main.c: Failed to acquire autospawn lock
> >      ---
> >      ? pulseaudio.te | 1 +
> >      ? 1 file changed, 1 insertion(+)
> >      diff --git a/pulseaudio.te b/pulseaudio.te
> >      index 4665af2..648de3a 100644
> >      --- a/pulseaudio.te
> >      +++ b/pulseaudio.te
> >      @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t,
> >      pulseaudio_tmp_t, pulseaudio_tmp_t)
> >      ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> >      pulseaudio_tmp_t)
> >      ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t,
> >      pulseaudio_tmp_t)
> >      ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> >      +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> >      "autospawn.lock")
> >      ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file,
> >      "pid")
> >      ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> >      sock_file, "dbus-socket")
> >      ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t,
> >      sock_file, "native")
> >      --
> >      2.0.5
> >      _______________________________________________
> >      refpolicy mailing list
> >      [3]refpolicy at oss.tresys.com
> >      [4]http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> > References
> > 
> >    1. mailto:sven.vermeulen at siphos.be
> >    2. mailto:jason at perfinion.com
> >    3. mailto:refpolicy at oss.tresys.com
> >    4. http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/bdb763e9/attachment.bin 

[refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock

[Dominick Grift]

On Mon, Apr 13, 2015 at 07:36:11PM +0400, Jason Zaman wrote:
> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the
> filetrans rule.
> 
> $ start-pulseaudio-x11
> W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied
> E: [pulseaudio] main.c: Failed to acquire autospawn lock


The pulseaudio policy is fragile, granted, but this rule makes sense to me. Merged, thanks

> ---
>  pulseaudio.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..648de3a 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
>  manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
>  manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
>  files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
>  userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/5c36d04b/attachment.bin 

[refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd

[Dominick Grift]

On Mon, Apr 13, 2015 at 07:36:12PM +0400, Jason Zaman wrote:

Thanks. Merged

> ---
>  snmp.fc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/snmp.fc b/snmp.fc
> index 2f0a2f2..d3db67a 100644
> --- a/snmp.fc
> +++ b/snmp.fc
> @@ -1,5 +1,6 @@
>  /etc/rc\.d/init\.d/(snmpd|snmptrapd)	--	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
>  
> +/usr/sbin/snmpd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
>  /usr/sbin/snmptrap	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
>  /usr/sbin/snmptrapd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
>  
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/01b8f83e/attachment.bin 

[refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts

[Dominick Grift]

On Mon, Apr 13, 2015 at 07:36:13PM +0400, Jason Zaman wrote:
> dnsmasq has the --dhcp-script= option to execute scripts when leases are
> given. dnsmasq needs to have shell access to run these.

Thanks. Merged
> ---
>  dnsmasq.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/dnsmasq.te b/dnsmasq.te
> index e2f8300..b3caf80 100644
> --- a/dnsmasq.te
> +++ b/dnsmasq.te
> @@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t)
>  kernel_read_system_state(dnsmasq_t)
>  kernel_request_load_module(dnsmasq_t)
>  
> +corecmd_exec_shell(dnsmasq_t)
> +
>  corenet_all_recvfrom_unlabeled(dnsmasq_t)
>  corenet_all_recvfrom_netlabel(dnsmasq_t)
>  corenet_tcp_sendrecv_generic_if(dnsmasq_t)
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/99c9cd42/attachment.bin