Return-Path: <SRS0=K1jV=NV=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5729CC43441
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 10 Nov 2018 00:43:14 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 1E7FD2081C
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 10 Nov 2018 00:43:14 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="RZLJFF5a"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1E7FD2081C
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ieee.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728082AbeKJK0S (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 10 Nov 2018 05:26:18 -0500
Received: from mail-qk1-f196.google.com ([209.85.222.196]:44145 "EHLO
        mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727730AbeKJK0R (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 10 Nov 2018 05:26:17 -0500
Received: by mail-qk1-f196.google.com with SMTP id n12so4846851qkh.11
        for <selinux-refpolicy@vger.kernel.org>; Fri, 09 Nov 2018 16:43:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=0RIeCc9DOw70xRrRP15WHCz/AkAAtnAPplVQBYMF91Y=;
        b=RZLJFF5aHwtvnm7yPEJj5iSDFfXorSs1a6t2K/hLzaxkFOpfv6pEjTL3PVdDDafozL
         oqHbkaBR7GK9Nmvys7Q6oPNR8i5ZVNlJM9qYdRwpU/cFgOo5LVlJQ+lHc1CCrHLfJ6iZ
         EOdQPdAfjeL8A0vnjNGTYjklbO4pmFKF5amcY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=0RIeCc9DOw70xRrRP15WHCz/AkAAtnAPplVQBYMF91Y=;
        b=mP8k4LdO2EvIGsUmYEcI644hZkfChLzxPYxCIC6hFkbQFktj1oQOomH7fnnoSR1Tv4
         KZM5bMvdad2onjt80lN0j4do4yTNZboscHK1xbYqT6WNNmR0PnfWozwxP5z/lU2VpxvC
         gslIROLhpszbPymLwIYB3vPkPgxSgWFKF5U7pROvrAUlXTRnXJIu1FdkbBVqc3ifyLk9
         W0rE5w1yYPl5BIJpO/M1LhNoL/5PsPwQDb2cpJhp8hT05CvqehNNqVEDTue/Pe7+kYwp
         ZbXYafARHo1bf+lMcPOj0DGk4oDnZA9kAYhYiDwhgR7keZMK8EfzdsQFGqmXqvLZyxTZ
         zn0g==
X-Gm-Message-State: AGRZ1gKE95gebYxDXDhpIHc1RriMws2T6Jy1n7DBJC46UBWRh8dZx+KQ
        VU7D9ePj6MnlHhZoTR2bfQWxtQ==
X-Google-Smtp-Source: AJdET5cUnkKJji8rQtkeGvH/gdEnKLPLSEYKwRlhMDMcs7jkHryQiDzSfvS+d5UZcS+tQhO6gmhEfA==
X-Received: by 2002:aed:20a3:: with SMTP id 32-v6mr10853358qtb.195.1541810592478;
        Fri, 09 Nov 2018 16:43:12 -0800 (PST)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id y14sm6607989qky.83.2018.11.09.16.43.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 09 Nov 2018 16:43:12 -0800 (PST)
Subject: Re: [PATCH 2/2] dnsmasq: Add support for lxc-net, lxd-bridge,
 NetworkManager
To:     Petr Vorel <pvorel@suse.cz>, selinux-refpolicy@vger.kernel.org
Cc:     Chris PeBenito <cpebenito@tresys.com>,
        Dan Walsh <dwalsh@redhat.com>
References: <20181107205736.21748-1-pvorel@suse.cz>
 <20181107205736.21748-2-pvorel@suse.cz>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <1a589e89-1c8e-48ac-27b4-198cfb5f78f4@ieee.org>
Date:   Fri, 9 Nov 2018 19:30:42 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20181107205736.21748-2-pvorel@suse.cz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 11/07/2018 03:57 PM, Petr Vorel wrote:
> * lxc-net pid and lease files:
> /var/run/lxc/dnsmasq.pid
> /var/lib/misc/dnsmasq.*.leases
> 
> * lxd-bridge pid and lease files:
> /var/run/lxd-bridge/dnsmasq.pid
> /var/lib/lxd-bridge/dnsmasq.*.leases
> /var/lib/lxd/networks/*/dnsmasq.leases
> /var/lib/lxd/networks/*/dnsmasq.pid
> 
> * NetworkManager pid, lease and configuration files:
> /var/lib/NetworkManager/dnsmasq-*.leases
> /run/nm-dns-dnsmasq.conf
> /run/nm-dnsmasq-*.pid
> /run/sendsigs.omit.d/*dnsmasq.pid
> /run/NetworkManager/dnsmasq.conf
> /run/NetworkManager/dnsmasq.pid
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   policy/modules/services/dnsmasq.fc | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
> index 4c34df3c..d1fb367e 100644
> --- a/policy/modules/services/dnsmasq.fc
> +++ b/policy/modules/services/dnsmasq.fc
> @@ -1,5 +1,7 @@
>   /etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
>   /etc/dnsmasq\.d(/.*)?   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
> +/run/nm-dns-dnsmasq.conf   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
> +/run/NetworkManager/dnsmasq.conf   gen_context(system_u:object_r:dnsmasq_etc_t,s0)

Unfortunately there already was some ordering problems in the file (I've 
since fixed them).  These should go with the other /run lines.  Also 
escape the \.conf.


>   /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
>   
> @@ -10,10 +12,18 @@
>   
>   /usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
>   
> -/var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/misc/dnsmasq(\..+)?\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
>   /var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd-bridge/dnsmasq\..+\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/lxd/networks/\.*/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
> +/var/lib/NetworkManager/dnsmasq-.*\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
>   
>   /var/log/dnsmasq(.*)?\.log	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
>   
>   /run/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
>   /run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/(lxc|lxd-bridge|NetworkManager)/dnsmasq.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/var/lib/lxd/networks/\.+/dnsmasq.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +
> +/run/nm-dnsmasq-.+.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
> +/run/sendsigs\.omit\.d/.*dnsmasq.pid	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

Same thing here with the line placement.



-- 
Chris PeBenito