From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 1 Mar 2012 21:02:55 +0100
Subject: [refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure
Message-ID: <20120301200255.GA17815@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The DHCP daemon supports LDAP backends (next to its file-based backend). 
This patch adds support for this through the dhcp_use_ldap boolean. We also
allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
startup).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dhcp.te |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/dhcp.te b/dhcp.te
index d4424ad..ab04a3d 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,6 +4,12 @@ policy_module(dhcp, 1.9.0)
 #
 # Declarations
 #
+## <desc>
+## <p>
+##	Enable LDAP backend support for DHCP daemon.
+## </p>
+## </desc>
+gen_tunable(dhcp_use_ldap, false)
 
 type dhcpd_t;
 type dhcpd_exec_t;
@@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
 corenet_udp_bind_generic_node(dhcpd_t)
 corenet_tcp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_generic_port(dhcpd_t)
 corenet_udp_bind_pxe_port(dhcpd_t)
 corenet_tcp_connect_all_ports(dhcpd_t)
 corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
@@ -105,6 +112,10 @@ ifdef(`distro_gentoo',`
 	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
 ')
 
+tunable_policy(`dhcp_use_ldap',`
+	sysnet_use_ldap(dhcpd_t)
+')
+
 optional_policy(`
 	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
-- 
1.7.3.4