commit: 91bd6c86deef7614809b3d43d9df34f253b998fe Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Sat Jan 3 12:18:20 2015 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Sat Jan 3 12:20:54 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91bd6c86
Enable support for DNSSEC The dnsmasq application reads in the trust anchors that are by default in /usr/share/dnsmasq. Considering that these are sort-of configuration files, I'd wager that a dnsmasq administrator might want to have manage rights on this. The dnsmasq application at least needs read access at this location. We could either grant read privileges on usr_t, but that would increase the read privs of dnsmasq unnecessarily, and does not allow the dnsmasq administrator to edit the file. We could create a separate type for this, but then both the dnsmasq_dnssec_t (or whatever it is called) and dnsmasq_etc_t would have the same access privileges associated with it. Hence, we reuse dnsmasq_etc_t. See also bug #531836 at https://bugs.gentoo.org/show_bug.cgi?id=531836 --- policy/modules/contrib/dnsmasq.fc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc index 6bc891a..8ca133c 100644 --- a/policy/modules/contrib/dnsmasq.fc +++ b/policy/modules/contrib/dnsmasq.fc @@ -12,3 +12,8 @@ /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + +ifdef(`distro_gentoo',` +# Fix bug 531836 - Needed to support dnssec in dnsmasq +/usr/share/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0) +')
