1 # Network namespace transitions 2 type execns, domain; 3 type execns_exec, exec_type, vendor_file_type, file_type; 4 5 init_daemon_domain(execns) 6 7 allow execns varrun_file:dir search; 8 allow execns varrun_file:file r_file_perms; 9 allow execns self:capability sys_admin; 10 allow execns nsfs:file { open read }; 11 12 #Allow execns itself to be run by init in its own domain 13 domain_auto_trans(init, execns_exec, execns); 14 15 # Allow dhcpclient to be run by execns in its own domain 16 domain_auto_trans(execns, dhcpclient_exec, dhcpclient); 17 18 # Allow dhcpserver to be run by execns in its own domain 19 domain_auto_trans(execns, dhcpserver_exec, dhcpserver); 20 21 # Rules to allow execution of hostapd and allow it to run 22 allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans }; 23 allow execns self:capability { net_admin net_raw }; 24 allow execns self:netlink_generic_socket { bind create getattr read setopt write }; 25 allow execns self:netlink_route_socket { bind create read write nlmsg_write }; 26 allow execns execns:udp_socket { create ioctl }; 27 allow execns self:packet_socket { create setopt }; 28 allow execns sysfs_net:dir { search }; 29 allowxperm execns self:udp_socket ioctl priv_sock_ioctls; 30 31 # Allow execns to read createns proc file to get the namespace file 32 allow execns createns:file read; 33 allow execns createns:dir search; 34 allow execns createns:lnk_file read; 35
