]>
Commit | Line | Data |
---|---|---|
d83fdad2 | 1 | |
5d4f4b53 | 2 | policy_module(bind, 1.8.0) |
d83fdad2 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow BIND to write the master zone files. | |
dd9e1de3 | 12 | ## Generally this is used for dynamic DNS or zone transfers. |
56e1b3d2 CP |
13 | ## </p> |
14 | ## </desc> | |
0bfccda4 | 15 | gen_tunable(named_write_master_zones, false) |
56e1b3d2 | 16 | |
d83fdad2 | 17 | # for DNSSEC key files |
a2868f6e CP |
18 | type dnssec_t; |
19 | files_security_file(dnssec_t) | |
d83fdad2 CP |
20 | |
21 | type named_t; | |
22 | type named_exec_t; | |
0bfccda4 | 23 | init_daemon_domain(named_t, named_exec_t) |
d83fdad2 CP |
24 | role system_r types named_t; |
25 | ||
98a8ead4 | 26 | type named_checkconf_exec_t; |
0bfccda4 | 27 | init_system_domain(named_t, named_checkconf_exec_t) |
98a8ead4 | 28 | |
d83fdad2 CP |
29 | # A type for configuration files of named. |
30 | type named_conf_t; | |
31 | files_type(named_conf_t) | |
d8636fc9 | 32 | files_mountpoint(named_conf_t) |
d83fdad2 CP |
33 | |
34 | # for secondary zone files | |
35 | type named_cache_t; | |
36 | files_type(named_cache_t) | |
37 | ||
f5394cc3 CP |
38 | type named_initrc_exec_t; |
39 | init_script_file(named_initrc_exec_t) | |
40 | ||
98a8ead4 CP |
41 | type named_log_t; |
42 | logging_log_file(named_log_t) | |
43 | ||
d83fdad2 CP |
44 | type named_tmp_t; |
45 | files_tmp_file(named_tmp_t) | |
46 | ||
47 | type named_var_run_t; | |
48 | files_pid_file(named_var_run_t) | |
49 | ||
50 | # for primary zone files | |
51 | type named_zone_t; | |
52 | files_type(named_zone_t) | |
53 | ||
54 | type ndc_t; | |
55 | type ndc_exec_t; | |
0bfccda4 | 56 | init_system_domain(ndc_t, ndc_exec_t) |
d83fdad2 CP |
57 | role system_r types ndc_t; |
58 | ||
59 | ######################################## | |
60 | # | |
61 | # Named local policy | |
62 | # | |
63 | ||
64 | allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; | |
65 | dontaudit named_t self:capability sys_tty_config; | |
f5394cc3 | 66 | allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; |
c0868a7a | 67 | allow named_t self:fifo_file rw_fifo_file_perms; |
d83fdad2 CP |
68 | allow named_t self:unix_stream_socket create_stream_socket_perms; |
69 | allow named_t self:unix_dgram_socket create_socket_perms; | |
70 | allow named_t self:tcp_socket create_stream_socket_perms; | |
71 | allow named_t self:udp_socket create_socket_perms; | |
d83fdad2 | 72 | |
0b36a214 | 73 | allow named_t dnssec_t:file read_file_perms; |
d83fdad2 CP |
74 | |
75 | # read configuration | |
c0868a7a | 76 | allow named_t named_conf_t:dir list_dir_perms; |
0bfccda4 CP |
77 | read_files_pattern(named_t, named_conf_t, named_conf_t) |
78 | read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) | |
d83fdad2 CP |
79 | |
80 | # write cache for secondary zones | |
0bfccda4 CP |
81 | manage_files_pattern(named_t, named_cache_t, named_cache_t) |
82 | manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) | |
d83fdad2 CP |
83 | |
84 | can_exec(named_t, named_exec_t) | |
85 | ||
0bfccda4 CP |
86 | manage_files_pattern(named_t, named_log_t, named_log_t) |
87 | logging_log_filetrans(named_t, named_log_t, { file dir }) | |
98a8ead4 | 88 | |
0bfccda4 CP |
89 | manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) |
90 | manage_files_pattern(named_t, named_tmp_t, named_tmp_t) | |
103fe280 | 91 | files_tmp_filetrans(named_t, named_tmp_t, { file dir }) |
d83fdad2 | 92 | |
0bfccda4 CP |
93 | manage_files_pattern(named_t, named_var_run_t, named_var_run_t) |
94 | manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) | |
95 | files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) | |
d83fdad2 CP |
96 | |
97 | # read zone files | |
c0868a7a | 98 | allow named_t named_zone_t:dir list_dir_perms; |
0bfccda4 CP |
99 | read_files_pattern(named_t, named_zone_t, named_zone_t) |
100 | read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) | |
d83fdad2 | 101 | |
445522dc | 102 | kernel_read_kernel_sysctls(named_t) |
d83fdad2 CP |
103 | kernel_read_system_state(named_t) |
104 | kernel_read_network_state(named_t) | |
d83fdad2 | 105 | |
f4878275 CP |
106 | corecmd_search_bin(named_t) |
107 | ||
19006686 CP |
108 | corenet_all_recvfrom_unlabeled(named_t) |
109 | corenet_all_recvfrom_netlabel(named_t) | |
d83fdad2 | 110 | corenet_tcp_sendrecv_all_if(named_t) |
d83fdad2 CP |
111 | corenet_udp_sendrecv_all_if(named_t) |
112 | corenet_tcp_sendrecv_all_nodes(named_t) | |
113 | corenet_udp_sendrecv_all_nodes(named_t) | |
d83fdad2 CP |
114 | corenet_tcp_sendrecv_all_ports(named_t) |
115 | corenet_udp_sendrecv_all_ports(named_t) | |
116 | corenet_tcp_bind_all_nodes(named_t) | |
117 | corenet_udp_bind_all_nodes(named_t) | |
118 | corenet_tcp_bind_dns_port(named_t) | |
119 | corenet_udp_bind_dns_port(named_t) | |
98a8ead4 CP |
120 | corenet_tcp_bind_rndc_port(named_t) |
121 | corenet_tcp_connect_all_ports(named_t) | |
006e9982 CP |
122 | corenet_sendrecv_dns_server_packets(named_t) |
123 | corenet_sendrecv_dns_client_packets(named_t) | |
124 | corenet_sendrecv_rndc_server_packets(named_t) | |
125 | corenet_sendrecv_rndc_client_packets(named_t) | |
bc01b352 | 126 | corenet_udp_bind_all_unreserved_ports(named_t) |
d83fdad2 CP |
127 | |
128 | dev_read_sysfs(named_t) | |
129 | dev_read_rand(named_t) | |
87eb5c84 CP |
130 | dev_read_urand(named_t) |
131 | ||
15722ec9 | 132 | domain_use_interactive_fds(named_t) |
d83fdad2 CP |
133 | |
134 | files_read_etc_files(named_t) | |
135 | files_read_etc_runtime_files(named_t) | |
136 | ||
f4878275 CP |
137 | fs_getattr_all_fs(named_t) |
138 | fs_search_auto_mountpoints(named_t) | |
139 | ||
bc01b352 CP |
140 | auth_use_nsswitch(named_t) |
141 | ||
d83fdad2 CP |
142 | libs_use_ld_so(named_t) |
143 | libs_use_shared_libs(named_t) | |
144 | ||
145 | logging_send_syslog_msg(named_t) | |
146 | ||
147 | miscfiles_read_localization(named_t) | |
87eb5c84 | 148 | miscfiles_read_certs(named_t) |
d83fdad2 CP |
149 | |
150 | sysnet_read_config(named_t) | |
151 | ||
15722ec9 | 152 | userdom_dontaudit_use_unpriv_user_fds(named_t) |
e9c6cda7 CP |
153 | |
154 | sysadm_dontaudit_search_home_dirs(named_t) | |
d83fdad2 | 155 | |
6f81e1d3 | 156 | tunable_policy(`named_write_master_zones',` |
0bfccda4 CP |
157 | manage_dirs_pattern(named_t, named_zone_t, named_zone_t) |
158 | manage_files_pattern(named_t, named_zone_t,named_zone_t) | |
159 | manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) | |
6f81e1d3 CP |
160 | ') |
161 | ||
bb7170f6 | 162 | optional_policy(` |
6f81e1d3 CP |
163 | init_dbus_chat_script(named_t) |
164 | ||
165 | sysnet_dbus_chat_dhcpc(named_t) | |
d8636fc9 | 166 | |
0bfccda4 | 167 | dbus_system_bus_client_template(named, named_t) |
d8636fc9 | 168 | dbus_connect_system_bus(named_t) |
6f81e1d3 | 169 | |
bb7170f6 | 170 | optional_policy(` |
6f81e1d3 CP |
171 | networkmanager_dbus_chat(named_t) |
172 | ') | |
173 | ') | |
174 | ||
bc01b352 CP |
175 | optional_policy(` |
176 | kerberos_use(named_t) | |
177 | ') | |
178 | ||
bb7170f6 | 179 | optional_policy(` |
6f81e1d3 CP |
180 | # this seems like fds that arent being |
181 | # closed. these should probably be | |
182 | # dontaudits instead. | |
1815bad1 CP |
183 | networkmanager_rw_udp_sockets(named_t) |
184 | networkmanager_rw_packet_sockets(named_t) | |
185 | networkmanager_rw_routing_sockets(named_t) | |
d8636fc9 CP |
186 | ') |
187 | ||
bb7170f6 | 188 | optional_policy(` |
d83fdad2 CP |
189 | seutil_sigchld_newrole(named_t) |
190 | ') | |
191 | ||
bb7170f6 | 192 | optional_policy(` |
d83fdad2 CP |
193 | udev_read_db(named_t) |
194 | ') | |
195 | ||
196 | ######################################## | |
197 | # | |
198 | # NDC local policy | |
199 | # | |
200 | ||
201 | # cjp: why net_admin?! | |
202 | allow ndc_t self:capability { dac_override net_admin }; | |
203 | allow ndc_t self:process { fork signal_perms }; | |
0b36a214 | 204 | allow ndc_t self:fifo_file rw_fifo_file_perms; |
d83fdad2 CP |
205 | allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; |
206 | allow ndc_t self:tcp_socket create_socket_perms; | |
207 | allow ndc_t self:netlink_route_socket r_netlink_socket_perms; | |
208 | ||
0b36a214 | 209 | allow ndc_t dnssec_t:file read_file_perms; |
a5e2133b | 210 | allow ndc_t dnssec_t:lnk_file { getattr read }; |
d83fdad2 | 211 | |
0b36a214 | 212 | stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) |
d83fdad2 | 213 | |
0b36a214 | 214 | allow ndc_t named_conf_t:file read_file_perms; |
693d4aed | 215 | allow ndc_t named_conf_t:lnk_file { getattr read }; |
d83fdad2 | 216 | |
0b36a214 | 217 | allow ndc_t named_zone_t:dir search_dir_perms; |
d83fdad2 | 218 | |
445522dc | 219 | kernel_read_kernel_sysctls(ndc_t) |
d83fdad2 | 220 | |
19006686 CP |
221 | corenet_all_recvfrom_unlabeled(ndc_t) |
222 | corenet_all_recvfrom_netlabel(ndc_t) | |
d83fdad2 | 223 | corenet_tcp_sendrecv_all_if(ndc_t) |
d83fdad2 | 224 | corenet_tcp_sendrecv_all_nodes(ndc_t) |
d83fdad2 | 225 | corenet_tcp_sendrecv_all_ports(ndc_t) |
f5394cc3 | 226 | corenet_tcp_bind_all_nodes(ndc_t) |
98a8ead4 | 227 | corenet_tcp_connect_rndc_port(ndc_t) |
006e9982 | 228 | corenet_sendrecv_rndc_client_packets(ndc_t) |
d83fdad2 | 229 | |
15722ec9 | 230 | domain_use_interactive_fds(ndc_t) |
d83fdad2 CP |
231 | |
232 | files_read_etc_files(ndc_t) | |
233 | files_search_pids(ndc_t) | |
234 | ||
f4878275 CP |
235 | fs_getattr_xattr_fs(ndc_t) |
236 | ||
1c1ac67f | 237 | init_use_fds(ndc_t) |
1815bad1 | 238 | init_use_script_ptys(ndc_t) |
d83fdad2 CP |
239 | |
240 | libs_use_ld_so(ndc_t) | |
241 | libs_use_shared_libs(ndc_t) | |
242 | ||
243 | logging_send_syslog_msg(ndc_t) | |
244 | ||
245 | miscfiles_read_localization(ndc_t) | |
246 | ||
247 | sysnet_read_config(ndc_t) | |
98a8ead4 | 248 | sysnet_dns_name_resolve(ndc_t) |
d83fdad2 CP |
249 | |
250 | # for /etc/rndc.key | |
251 | ifdef(`distro_redhat',` | |
252 | allow ndc_t named_conf_t:dir search; | |
253 | ') | |
254 | ||
bb7170f6 | 255 | optional_policy(` |
d83fdad2 CP |
256 | nis_use_ypbind(ndc_t) |
257 | ') | |
258 | ||
bb7170f6 | 259 | optional_policy(` |
1815bad1 | 260 | nscd_socket_use(ndc_t) |
d83fdad2 | 261 | ') |
239db5e2 | 262 | |
bb7170f6 | 263 | optional_policy(` |
1c1ac67f | 264 | ppp_dontaudit_use_fds(ndc_t) |
725926c5 | 265 | ') |