Allow dnsmasq dac_override capability.

dnsmasq presently requires dac_override to create files under /data/misc/dhcp. Until it can be changed to run with group dhcp, allow dac_override. Addresses denials such as: avc: denied { dac_override } for pid=21166 comm="dnsmasq" capability=1 scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-12 15:12:52 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2014-03-12 15:12:52 -0400
commit: 45815c3e4012639334888b4a380192443f5b711f (patch)
tree: 092e6c8592f2ad7ba07ef3bfff7a5231f0515acb /dnsmasq.te
parent: cb8c52623b304e78a707ec5bde4329d01e88cda4 (diff)
download: android_external_sepolicy-45815c3e4012639334888b4a380192443f5b711f.tar.gz
android_external_sepolicy-45815c3e4012639334888b4a380192443f5b711f.tar.bz2
android_external_sepolicy-45815c3e4012639334888b4a380192443f5b711f.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/dnsmasq.te b/dnsmasq.te
index 61382a2..9a9882d 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -5,6 +5,9 @@ type dnsmasq_exec, exec_type, file_type;
 
 net_domain(dnsmasq)
 
+# TODO:  Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:capability dac_override;
+
 allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
 
 allow dnsmasq dhcp_data_file:dir w_dir_perms;
author	Stephen Smalley <sds@tycho.nsa.gov>	2014-03-12 15:12:52 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2014-03-12 15:12:52 -0400
commit	45815c3e4012639334888b4a380192443f5b711f (patch)
tree	092e6c8592f2ad7ba07ef3bfff7a5231f0515acb /dnsmasq.te
parent	cb8c52623b304e78a707ec5bde4329d01e88cda4 (diff)
download	android_external_sepolicy-45815c3e4012639334888b4a380192443f5b711f.tar.gz android_external_sepolicy-45815c3e4012639334888b4a380192443f5b711f.tar.bz2 android_external_sepolicy-45815c3e4012639334888b4a380192443f5b711f.zip