# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#    Copyright (C) 2015 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# Note that this profile doesn't include any NetDomain rules; dhclient uses
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
# /bin/ps                     mrix,
# /sbin/arp                   mrix,
# /usr/bin/dig                mrix,
# /usr/bin/uptime             mrix,
# /usr/bin/vmstat             mrix,
# /usr/bin/w                  mrix,

abi <abi/4.0>,

include <tunables/global>

profile dhclient /{usr/,}sbin/dhclient {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/nameservice>

  capability net_raw,

  network packet packet,
  network packet raw,

  signal (send,receive) set=(term) peer=NetworkManager,

  /{usr/,}sbin/dhclient       mrix,

  /{usr/,}bin/bash            mrix,
  /{usr/,}bin/df              mrix,
  /{usr/,}bin/netstat         Px,
  /{usr/,}bin/ps              mrix,
  /dev/random                 r,
  /etc/dhclient.conf          r,
  @{PROC}/                    r,
  @{PROC}/interrupts          r,
  @{PROC}/@{pid}/net/dev      r,
  @{PROC}/rtc                 r,

  # dhcliet wants to update its threads with functional names
  # see lp1918410
  owner @{PROC}/@{pid}/task/[0-9]*/comm rw,

  # following rule shouldn't work, self is a symlink
  @{PROC}/self/status         r,
  /{usr/,}sbin/arp            mrix,
  /{usr/,}bin/dig             mrix,
  /{usr/,}bin/uptime          mrix,
  /{usr/,}bin/vmstat          mrix,
  /{usr/,}bin/w               mrix,
  /usr/lib/{NetworkManager/,}nm-dhcp-helper rix,
  /var/lib/dhclient/dhclient{6,}.leases*	rw,
  /var/lib/dhcp/dhclient*.leases   rw,
  /var/lib/dhcp{6,}/dhclient.leases    rw,
  /var/lib/NetworkManager/dhclient{6,}-*.conf r,
  /var/lib/NetworkManager/dhclient{6,}-*.lease rw,
  /var/log/lastlog            r,
  /var/log/messages           r,
  /var/log/wtmp               r,
  /{,var/}run/dhclient{6,}.pid    rw,
  /{,var/}run/dhclient{6,}{-,.}*.pid  rw,
  /var/spool                  r,
  /var/spool/mail             r,

  # This one will need to be fleshed out depending on what the user is doing
  /{usr/,}sbin/dhclient-script mrpix,

  /{usr/,}bin/grep mrix,
  /{usr/,}bin/sleep mrix,
  /etc/sysconfig/network/dhcp r,
  /etc/sysconfig/network/scripts/functions.common r,
  /etc/sysconfig/network/scripts/functions r,
  /{usr/,}sbin/ip mrix,
  /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
  /var/lib/dhcp/* rw,
  /{,var/}run/nm-dhclient-*.conf r,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/sbin.dhclient>
}