selinux-refpolicy/policy/modules/services/stubby.te
Chris PeBenito 78276fc43b Drop module versioning.
Semodule stopped using this many years ago. The policy_module() macro will
continue to support an optional second parameter as version.
If it is not specified, a default value of 1 is set.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-01-06 09:19:13 -05:00

52 lines
1.2 KiB
Plaintext

policy_module(stubby)
########################################
#
# Declarations
#
type stubby_t;
type stubby_exec_t;
init_daemon_domain(stubby_t, stubby_exec_t)
type stubby_etc_t;
files_config_file(stubby_etc_t)
type stubby_unit_t;
init_unit_file(stubby_unit_t)
########################################
#
# Local policy
#
allow stubby_t self:tcp_socket create_stream_socket_perms;
allow stubby_t self:udp_socket create_stream_socket_perms;
read_files_pattern(stubby_t, stubby_etc_t, stubby_etc_t)
corenet_tcp_bind_dns_port(stubby_t)
corenet_tcp_bind_generic_node(stubby_t)
corenet_udp_bind_dns_port(stubby_t)
corenet_udp_bind_generic_node(stubby_t)
# DNS-over-TLS uses TCP port 853
corenet_tcp_connect_dns_port(stubby_t)
# DNS-over-HTTPS uses TCP port 443
corenet_tcp_connect_http_port(stubby_t)
# for /etc/trusted-key.key
files_read_etc_files(stubby_t)
miscfiles_read_generic_certs(stubby_t)
miscfiles_read_localization(stubby_t)
sysnet_read_config(stubby_t)
ifdef(`init_systemd',`
# stubby systemd service uses DynamicUser=yes, which makes it call
# LookupDynamicUserByUID in order to get its own user name.
init_dbus_chat(stubby_t)
dbus_system_bus_client(stubby_t)
')