1dnsmasq_selinux(8) SELinux Policy dnsmasq dnsmasq_selinux(8)
2
6 dnsmasq_selinux - Security Enhanced Linux Policy for the dnsmasq pro‐
7 cesses
8
10 Security-Enhanced Linux secures the dnsmasq processes via flexible
11 mandatory access control.
12 The dnsmasq processes execute with the dnsmasq_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep dnsmasq_t
20
24 The dnsmasq_t SELinux type can be entered via the dnsmasq_exec_t file
25 type.
26 The default entrypoint paths for the dnsmasq_t domain are the follow‐
28 ing:
29 /usr/sbin/dnsmasq
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 dnsmasq policy is very flexible allowing users to setup their dnsmasq
40 processes in as secure a method as possible.
41 The following process types are defined for dnsmasq:
43 dnsmasq_t
45 Note: semanage permissive -a dnsmasq_t can be used to make the process
47 type dnsmasq_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. dnsmasq
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run dnsmasq with the tightest access possi‐
56 ble.
57 If you want to allow the dnsmasq to creating and using netlink_sockets,
61 you must turn on the dnsmasq_use_ipset boolean. Disabled by default.
62 setsebool -P dnsmasq_use_ipset 1
64 If you want to dontaudit all daemons scheduling requests (setsched,
68 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
69 Enabled by default.
70 setsebool -P daemons_dontaudit_scheduling 1
72 If you want to allow all domains to execute in fips_mode, you must turn
76 on the fips_mode boolean. Enabled by default.
77 setsebool -P fips_mode 1
79 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84 setsebool -P nis_enabled 1
86
90 The SELinux process type dnsmasq_t can manage files labeled with the
91 following file types. The paths listed are the default paths for these
92 file types. Note the processes UID still need to have DAC permissions.
93 NetworkManager_var_lib_t
95 /var/lib/wicd(/.*)?
97 /var/lib/NetworkManager(/.*)?
98 /etc/dhcp/wired-settings.conf
99 /etc/wicd/wired-settings.conf
100 /etc/dhcp/manager-settings.conf
101 /etc/wicd/manager-settings.conf
102 /etc/dhcp/wireless-settings.conf
103 /etc/wicd/wireless-settings.conf
104 NetworkManager_var_run_t
106 /var/run/teamd(/.*)?
108 /var/run/nm-xl2tpd.conf.*
109 /var/run/nm-dhclient.*
110 /var/run/NetworkManager(/.*)?
111 /var/run/wpa_supplicant(/.*)?
112 /var/run/wicd.pid
113 /var/run/NetworkManager.pid
114 /var/run/nm-dns-dnsmasq.conf
115 /var/run/wpa_supplicant-global
116 cluster_conf_t
118 /etc/cluster(/.*)?
120 cluster_var_lib_t
122 /var/lib/pcsd(/.*)?
124 /var/lib/cluster(/.*)?
125 /var/lib/openais(/.*)?
126 /var/lib/pengine(/.*)?
127 /var/lib/corosync(/.*)?
128 /usr/lib/heartbeat(/.*)?
129 /var/lib/heartbeat(/.*)?
130 /var/lib/pacemaker(/.*)?
131 cluster_var_run_t
133 /var/run/crm(/.*)?
135 /var/run/cman_.*
136 /var/run/rsctmp(/.*)?
137 /var/run/aisexec.*
138 /var/run/heartbeat(/.*)?
139 /var/run/pcsd-ruby.socket
140 /var/run/corosync-qnetd(/.*)?
141 /var/run/corosync-qdevice(/.*)?
142 /var/run/corosync.pid
143 /var/run/cpglockd.pid
144 /var/run/rgmanager.pid
145 /var/run/cluster/rgmanager.sk
146 crond_var_run_t
148 /var/run/.*cron.*
150 /var/run/crond?.pid
151 /var/run/crond?.reboot
152 /var/run/atd.pid
153 /var/run/fcron.pid
154 /var/run/fcron.fifo
155 /var/run/anacron.pid
156 dnsmasq_lease_t
158 /var/lib/dnsmasq(/.*)?
160 /var/lib/misc/dnsmasq.leases
161 dnsmasq_tmp_t
163 dnsmasq_var_run_t
166 /var/run/dnsmasq.*
168 /var/run/libvirt/network(/.*)?
169 krb5_host_rcache_t
171 /var/tmp/krb5_0.rcache2
173 /var/cache/krb5rcache(/.*)?
174 /var/tmp/nfs_0
175 /var/tmp/DNS_25
176 /var/tmp/host_0
177 /var/tmp/imap_0
178 /var/tmp/HTTP_23
179 /var/tmp/HTTP_48
180 /var/tmp/ldap_55
181 /var/tmp/ldap_487
182 /var/tmp/ldapmap1_0
183 mnt_t
185 /mnt(/[^/]*)?
187 /mnt(/[^/]*)?
188 /rhev(/[^/]*)?
189 /rhev/[^/]*/.*
190 /media(/[^/]*)?
191 /media(/[^/]*)?
192 /media/.hal-.*
193 /var/run/media(/[^/]*)?
194 /afs
195 /net
196 /misc
197 /rhev
198 neutron_var_lib_t
200 /var/lib/neutron(/.*)?
202 /var/lib/quantum(/.*)?
203 root_t
205 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
207 /
208 /initrd
209
212 SELinux requires files to have an extended attribute to define the file
213 type.
214 You can see the context of a file using the -Z option to ls
216 Policy governs the access confined processes have to these files.
218 SELinux dnsmasq policy is very flexible allowing users to setup their
219 dnsmasq processes in as secure a method as possible.
220 STANDARD FILE CONTEXT
222 SELinux defines the file context types for the dnsmasq, if you wanted
224 to store files with these types in a different paths, you need to exe‐
225 cute the semanage command to specify alternate labeling and then use
226 restorecon to put the labels on disk.
227 semanage fcontext -a -t dnsmasq_exec_t '/srv/dnsmasq/content(/.*)?'
229 restorecon -R -v /srv/mydnsmasq_content
230 Note: SELinux often uses regular expressions to specify labels that
232 match multiple files.
233 The following file types are defined for dnsmasq:
235 dnsmasq_etc_t
239 - Set files with the dnsmasq_etc_t type, if you want to store dnsmasq
241 files in the /etc directories.
242 Paths:
245 /etc/dnsmasq.d(/.*)?, /etc/dnsmasq.conf
246 dnsmasq_exec_t
249 - Set files with the dnsmasq_exec_t type, if you want to transition an
251 executable to the dnsmasq_t domain.
252 dnsmasq_initrc_exec_t
256 - Set files with the dnsmasq_initrc_exec_t type, if you want to transi‐
258 tion an executable to the dnsmasq_initrc_t domain.
259 dnsmasq_lease_t
263 - Set files with the dnsmasq_lease_t type, if you want to treat the
265 files as dnsmasq lease data.
266 Paths:
269 /var/lib/dnsmasq(/.*)?, /var/lib/misc/dnsmasq.leases
270 dnsmasq_tmp_t
273 - Set files with the dnsmasq_tmp_t type, if you want to store dnsmasq
275 temporary files in the /tmp directories.
276 dnsmasq_unit_file_t
280 - Set files with the dnsmasq_unit_file_t type, if you want to treat the
282 files as dnsmasq unit content.
283 dnsmasq_var_log_t
287 - Set files with the dnsmasq_var_log_t type, if you want to treat the
289 data as dnsmasq var log data, usually stored under the /var/log direc‐
290 tory.
291 dnsmasq_var_run_t
295 - Set files with the dnsmasq_var_run_t type, if you want to store the
297 dnsmasq files under the /run or /var/run directory.
298 Paths:
301 /var/run/dnsmasq.*, /var/run/libvirt/network(/.*)?
302 Note: File context can be temporarily modified with the chcon command.
305 If you want to permanently change the file context you need to use the
306 semanage fcontext command. This will modify the SELinux labeling data‐
307 base. You will need to use restorecon to apply the labels.
308
311 semanage fcontext can also be used to manipulate default file context
312 mappings.
313 semanage permissive can also be used to manipulate whether or not a
315 process type is permissive.
316 semanage module can also be used to enable/disable/install/remove pol‐
318 icy modules.
319 semanage boolean can also be used to manipulate the booleans
321 system-config-selinux is a GUI tool available to customize SELinux pol‐
324 icy settings.
325
328 This manual page was auto-generated using sepolicy manpage .
329
332 selinux(8), dnsmasq(8), semanage(8), restorecon(8), chcon(1), sepol‐
333 icy(8), setsebool(8)
334dnsmasq 23-10-20 dnsmasq_selinux(8)