diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-01-03 13:18:20 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-01-03 13:20:54 +0100 |
commit | 91bd6c86deef7614809b3d43d9df34f253b998fe (patch) | |
tree | 94f2d65f17300b695b23c392fa49180c9ef0be41 | |
parent | Upstream merged (diff) | |
download | hardened-refpolicy-91bd6c86deef7614809b3d43d9df34f253b998fe.tar.gz hardened-refpolicy-91bd6c86deef7614809b3d43d9df34f253b998fe.tar.bz2 hardened-refpolicy-91bd6c86deef7614809b3d43d9df34f253b998fe.zip |
Enable support for DNSSEC
The dnsmasq application reads in the trust anchors that are by default
in /usr/share/dnsmasq. Considering that these are sort-of configuration
files, I'd wager that a dnsmasq administrator might want to have manage
rights on this. The dnsmasq application at least needs read access at
this location.
We could either grant read privileges on usr_t, but that would increase
the read privs of dnsmasq unnecessarily, and does not allow the dnsmasq
administrator to edit the file.
We could create a separate type for this, but then both the
dnsmasq_dnssec_t (or whatever it is called) and dnsmasq_etc_t would have
the same access privileges associated with it. Hence, we reuse
dnsmasq_etc_t.
See also bug #531836 at https://bugs.gentoo.org/show_bug.cgi?id=531836
-rw-r--r-- | policy/modules/contrib/dnsmasq.fc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc index 6bc891a1b..8ca133c0c 100644 --- a/policy/modules/contrib/dnsmasq.fc +++ b/policy/modules/contrib/dnsmasq.fc @@ -12,3 +12,8 @@ /var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) + +ifdef(`distro_gentoo',` +# Fix bug 531836 - Needed to support dnssec in dnsmasq +/usr/share/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0) +') |