policy/modules/services/nsd.te

   1
   2 policy_module(nsd, 1.5.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type nsd_t;
  10 type nsd_exec_t;
  11 init_daemon_domain(nsd_t, nsd_exec_t)
  12
  13 # A type for configuration files of nsd
  14 type nsd_conf_t;
  15 files_type(nsd_conf_t)
  16
  17 type nsd_crond_t;
  18 domain_type(nsd_crond_t)
  19 domain_entry_file(nsd_crond_t, nsd_exec_t)
  20 role system_r types nsd_crond_t;
  21
  22 # a type for nsd.db
  23 type nsd_db_t;
  24 files_type(nsd_db_t)
  25
  26 type nsd_var_run_t;
  27 files_pid_file(nsd_var_run_t)
  28
  29 # A type for zone files
  30 type nsd_zone_t;
  31 files_type(nsd_zone_t)
  32
  33 ########################################
  34 #
  35 # NSD Local policy
  36 #
  37
  38 allow nsd_t self:capability { dac_override chown setuid setgid };
  39 dontaudit nsd_t self:capability sys_tty_config;
  40 allow nsd_t self:process signal_perms;
  41 allow nsd_t self:tcp_socket create_stream_socket_perms;
  42 allow nsd_t self:udp_socket create_socket_perms;
  43
  44 allow nsd_t nsd_conf_t:dir list_dir_perms;
  45 read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
  46 read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
  47
  48 allow nsd_t nsd_db_t:file manage_file_perms;
  49 filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
  50
  51 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
  52 files_pid_filetrans(nsd_t, nsd_var_run_t, file)
  53
  54 allow nsd_t nsd_zone_t:dir list_dir_perms;
  55 read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
  56 read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
  57
  58 can_exec(nsd_t, nsd_exec_t)
  59
  60 kernel_read_system_state(nsd_t)
  61 kernel_read_kernel_sysctls(nsd_t)
  62
  63 corecmd_exec_bin(nsd_t)
  64
  65 corenet_all_recvfrom_unlabeled(nsd_t)
  66 corenet_all_recvfrom_netlabel(nsd_t)
  67 corenet_tcp_sendrecv_generic_if(nsd_t)
  68 corenet_udp_sendrecv_generic_if(nsd_t)
  69 corenet_tcp_sendrecv_all_nodes(nsd_t)
  70 corenet_udp_sendrecv_all_nodes(nsd_t)
  71 corenet_tcp_sendrecv_all_ports(nsd_t)
  72 corenet_udp_sendrecv_all_ports(nsd_t)
  73 corenet_tcp_bind_all_nodes(nsd_t)
  74 corenet_udp_bind_all_nodes(nsd_t)
  75 corenet_tcp_bind_dns_port(nsd_t)
  76 corenet_udp_bind_dns_port(nsd_t)
  77 corenet_sendrecv_dns_server_packets(nsd_t)
  78
  79 dev_read_sysfs(nsd_t)
  80
  81 domain_use_interactive_fds(nsd_t)
  82
  83 files_read_etc_files(nsd_t)
  84 files_read_etc_runtime_files(nsd_t)
  85
  86 fs_getattr_all_fs(nsd_t)
  87 fs_search_auto_mountpoints(nsd_t)
  88
  89 libs_use_ld_so(nsd_t)
  90 libs_use_shared_libs(nsd_t)
  91
  92 logging_send_syslog_msg(nsd_t)
  93
  94 miscfiles_read_localization(nsd_t)
  95
  96 sysnet_read_config(nsd_t)
  97
  98 userdom_dontaudit_use_unpriv_user_fds(nsd_t)
  99
 100 sysadm_dontaudit_search_home_dirs(nsd_t)
 101
 102 optional_policy(`
 103         nis_use_ypbind(nsd_t)
 104 ')
 105
 106 optional_policy(`
 107         seutil_sigchld_newrole(nsd_t)
 108 ')
 109
 110 optional_policy(`
 111         udev_read_db(nsd_t)
 112 ')
 113
 114 ########################################
 115 #
 116 # Zone update cron job local policy
 117 #
 118
 119 # kill capability for root cron job and non-root daemon
 120 allow nsd_crond_t self:capability { dac_override kill };
 121 dontaudit nsd_crond_t self:capability sys_nice;
 122 allow nsd_crond_t self:process { setsched signal_perms };
 123 allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
 124 allow nsd_crond_t self:tcp_socket create_socket_perms;
 125 allow nsd_crond_t self:udp_socket create_socket_perms;
 126
 127 allow nsd_crond_t nsd_conf_t:file read_file_perms;
 128
 129 allow nsd_crond_t nsd_db_t:file manage_file_perms;
 130 filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
 131 files_search_var_lib(nsd_crond_t)
 132
 133 allow nsd_crond_t nsd_t:process signal;
 134
 135 ps_process_pattern(nsd_crond_t, nsd_t)
 136
 137 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
 138 filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
 139
 140 can_exec(nsd_crond_t, nsd_exec_t)
 141
 142 kernel_read_system_state(nsd_crond_t)
 143
 144 corecmd_exec_bin(nsd_crond_t)
 145 corecmd_exec_shell(nsd_crond_t)
 146
 147 corenet_all_recvfrom_unlabeled(nsd_crond_t)
 148 corenet_all_recvfrom_netlabel(nsd_crond_t)
 149 corenet_tcp_sendrecv_generic_if(nsd_crond_t)
 150 corenet_udp_sendrecv_generic_if(nsd_crond_t)
 151 corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
 152 corenet_udp_sendrecv_all_nodes(nsd_crond_t)
 153 corenet_tcp_sendrecv_all_ports(nsd_crond_t)
 154 corenet_udp_sendrecv_all_ports(nsd_crond_t)
 155 corenet_tcp_connect_all_ports(nsd_crond_t)
 156 corenet_sendrecv_all_client_packets(nsd_crond_t)
 157
 158 # for SSP
 159 dev_read_urand(nsd_crond_t)
 160
 161 domain_dontaudit_read_all_domains_state(nsd_crond_t)
 162
 163 files_read_etc_files(nsd_crond_t)
 164 files_read_etc_runtime_files(nsd_crond_t)
 165 files_search_var_lib(nsd_t)
 166
 167 libs_use_ld_so(nsd_crond_t)
 168 libs_use_shared_libs(nsd_crond_t)
 169
 170 logging_send_syslog_msg(nsd_crond_t)
 171
 172 miscfiles_read_localization(nsd_crond_t)
 173
 174 sysnet_read_config(nsd_crond_t)
 175
 176 sysadm_dontaudit_search_home_dirs(nsd_crond_t)
 177
 178 optional_policy(`
 179         cron_system_entry(nsd_crond_t, nsd_exec_t)
 180 ')
 181
 182 optional_policy(`
 183         nis_use_ypbind(nsd_crond_t)
 184 ')
 185
 186 optional_policy(`
 187         nscd_read_pid(nsd_crond_t)
 188 ')