4a865b3089
This was originally added due to:
avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
in wahoo specific selinux policy in commit cd761300c1cc67cb2be3e001b95317e8a865c5fe 'Allow some denials we have seen.'
This is most likely simply triggered by a race condition on attempting
to access a non existent network device 'bt-pan'.
While we've never seen this anywhere else, it could potentially happen
on any device so we might as well make this global...
Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I00f61a5fc2bfce604badf3b96f6ed808157eb78c
29 lines
1.2 KiB
Plaintext
29 lines
1.2 KiB
Plaintext
# DNS, DHCP services
|
|
type dnsmasq, domain;
|
|
type dnsmasq_exec, system_file_type, exec_type, file_type;
|
|
|
|
net_domain(dnsmasq)
|
|
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
|
|
|
|
# TODO: Run with dhcp group to avoid need for dac_override.
|
|
allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
|
|
|
|
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
|
|
|
|
allow dnsmasq dhcp_data_file:dir w_dir_perms;
|
|
allow dnsmasq dhcp_data_file:file create_file_perms;
|
|
|
|
# Inherit and use open files from netd.
|
|
allow dnsmasq netd:fd use;
|
|
allow dnsmasq netd:fifo_file { getattr read write };
|
|
# TODO: Investigate whether these inherited sockets should be closed on exec.
|
|
allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
|
|
allow dnsmasq netd:netlink_nflog_socket { read write };
|
|
allow dnsmasq netd:netlink_route_socket { read write };
|
|
allow dnsmasq netd:unix_stream_socket { getattr read write };
|
|
allow dnsmasq netd:unix_dgram_socket { read write };
|
|
allow dnsmasq netd:udp_socket { read write };
|
|
|
|
# sometimes a network device vanishes and we try to load module netdev-{devicename}
|
|
dontaudit dnsmasq kernel:system module_request;
|