From 45815c3e4012639334888b4a380192443f5b711f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 12 Mar 2014 15:12:52 -0400
Subject: [PATCH] Allow dnsmasq dac_override capability.

dnsmasq presently requires dac_override to create files under
/data/misc/dhcp.  Until it can be changed to run with group dhcp,
allow dac_override.

Addresses denials such as:
avc:  denied  { dac_override } for  pid=21166 comm="dnsmasq" capability=1  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability

Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 dnsmasq.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dnsmasq.te b/dnsmasq.te
index 61382a207..9a9882d66 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -5,6 +5,9 @@ type dnsmasq_exec, exec_type, file_type;
 
 net_domain(dnsmasq)
 
+# TODO:  Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:capability dac_override;
+
 allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
 
 allow dnsmasq dhcp_data_file:dir w_dir_perms;
-- 
GitLab