]>
Commit | Line | Data |
---|---|---|
d83fdad2 | 1 | |
29af4c13 | 2 | policy_module(bind, 1.11.0) |
d83fdad2 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow BIND to write the master zone files. | |
dd9e1de3 | 12 | ## Generally this is used for dynamic DNS or zone transfers. |
56e1b3d2 CP |
13 | ## </p> |
14 | ## </desc> | |
0bfccda4 | 15 | gen_tunable(named_write_master_zones, false) |
56e1b3d2 | 16 | |
d83fdad2 | 17 | # for DNSSEC key files |
a2868f6e CP |
18 | type dnssec_t; |
19 | files_security_file(dnssec_t) | |
d83fdad2 CP |
20 | |
21 | type named_t; | |
22 | type named_exec_t; | |
0bfccda4 | 23 | init_daemon_domain(named_t, named_exec_t) |
d83fdad2 CP |
24 | role system_r types named_t; |
25 | ||
98a8ead4 | 26 | type named_checkconf_exec_t; |
0bfccda4 | 27 | init_system_domain(named_t, named_checkconf_exec_t) |
98a8ead4 | 28 | |
d83fdad2 CP |
29 | # A type for configuration files of named. |
30 | type named_conf_t; | |
31 | files_type(named_conf_t) | |
d8636fc9 | 32 | files_mountpoint(named_conf_t) |
d83fdad2 CP |
33 | |
34 | # for secondary zone files | |
35 | type named_cache_t; | |
36 | files_type(named_cache_t) | |
37 | ||
f5394cc3 CP |
38 | type named_initrc_exec_t; |
39 | init_script_file(named_initrc_exec_t) | |
40 | ||
98a8ead4 CP |
41 | type named_log_t; |
42 | logging_log_file(named_log_t) | |
43 | ||
d83fdad2 CP |
44 | type named_tmp_t; |
45 | files_tmp_file(named_tmp_t) | |
46 | ||
47 | type named_var_run_t; | |
48 | files_pid_file(named_var_run_t) | |
49 | ||
50 | # for primary zone files | |
51 | type named_zone_t; | |
52 | files_type(named_zone_t) | |
53 | ||
54 | type ndc_t; | |
55 | type ndc_exec_t; | |
0bfccda4 | 56 | init_system_domain(ndc_t, ndc_exec_t) |
d83fdad2 CP |
57 | role system_r types ndc_t; |
58 | ||
59 | ######################################## | |
60 | # | |
61 | # Named local policy | |
62 | # | |
63 | ||
64 | allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; | |
65 | dontaudit named_t self:capability sys_tty_config; | |
f5394cc3 | 66 | allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; |
c0868a7a | 67 | allow named_t self:fifo_file rw_fifo_file_perms; |
d83fdad2 CP |
68 | allow named_t self:unix_stream_socket create_stream_socket_perms; |
69 | allow named_t self:unix_dgram_socket create_socket_perms; | |
70 | allow named_t self:tcp_socket create_stream_socket_perms; | |
71 | allow named_t self:udp_socket create_socket_perms; | |
d83fdad2 | 72 | |
0b36a214 | 73 | allow named_t dnssec_t:file read_file_perms; |
d83fdad2 CP |
74 | |
75 | # read configuration | |
c0868a7a | 76 | allow named_t named_conf_t:dir list_dir_perms; |
0bfccda4 CP |
77 | read_files_pattern(named_t, named_conf_t, named_conf_t) |
78 | read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) | |
d83fdad2 CP |
79 | |
80 | # write cache for secondary zones | |
0bfccda4 CP |
81 | manage_files_pattern(named_t, named_cache_t, named_cache_t) |
82 | manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) | |
d83fdad2 CP |
83 | |
84 | can_exec(named_t, named_exec_t) | |
85 | ||
0bfccda4 CP |
86 | manage_files_pattern(named_t, named_log_t, named_log_t) |
87 | logging_log_filetrans(named_t, named_log_t, { file dir }) | |
98a8ead4 | 88 | |
0bfccda4 CP |
89 | manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) |
90 | manage_files_pattern(named_t, named_tmp_t, named_tmp_t) | |
103fe280 | 91 | files_tmp_filetrans(named_t, named_tmp_t, { file dir }) |
d83fdad2 | 92 | |
0bfccda4 CP |
93 | manage_files_pattern(named_t, named_var_run_t, named_var_run_t) |
94 | manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) | |
95 | files_pid_filetrans(named_t, named_var_run_t, { file sock_file }) | |
d83fdad2 CP |
96 | |
97 | # read zone files | |
c0868a7a | 98 | allow named_t named_zone_t:dir list_dir_perms; |
0bfccda4 CP |
99 | read_files_pattern(named_t, named_zone_t, named_zone_t) |
100 | read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) | |
d83fdad2 | 101 | |
445522dc | 102 | kernel_read_kernel_sysctls(named_t) |
d83fdad2 CP |
103 | kernel_read_system_state(named_t) |
104 | kernel_read_network_state(named_t) | |
d83fdad2 | 105 | |
f4878275 CP |
106 | corecmd_search_bin(named_t) |
107 | ||
19006686 CP |
108 | corenet_all_recvfrom_unlabeled(named_t) |
109 | corenet_all_recvfrom_netlabel(named_t) | |
668b3093 CP |
110 | corenet_tcp_sendrecv_generic_if(named_t) |
111 | corenet_udp_sendrecv_generic_if(named_t) | |
c1262146 CP |
112 | corenet_tcp_sendrecv_generic_node(named_t) |
113 | corenet_udp_sendrecv_generic_node(named_t) | |
d83fdad2 CP |
114 | corenet_tcp_sendrecv_all_ports(named_t) |
115 | corenet_udp_sendrecv_all_ports(named_t) | |
c1262146 CP |
116 | corenet_tcp_bind_generic_node(named_t) |
117 | corenet_udp_bind_generic_node(named_t) | |
d83fdad2 CP |
118 | corenet_tcp_bind_dns_port(named_t) |
119 | corenet_udp_bind_dns_port(named_t) | |
98a8ead4 CP |
120 | corenet_tcp_bind_rndc_port(named_t) |
121 | corenet_tcp_connect_all_ports(named_t) | |
006e9982 CP |
122 | corenet_sendrecv_dns_server_packets(named_t) |
123 | corenet_sendrecv_dns_client_packets(named_t) | |
124 | corenet_sendrecv_rndc_server_packets(named_t) | |
125 | corenet_sendrecv_rndc_client_packets(named_t) | |
ce6fee65 | 126 | corenet_dontaudit_udp_bind_all_reserved_ports(named_t) |
bc01b352 | 127 | corenet_udp_bind_all_unreserved_ports(named_t) |
d83fdad2 CP |
128 | |
129 | dev_read_sysfs(named_t) | |
130 | dev_read_rand(named_t) | |
87eb5c84 CP |
131 | dev_read_urand(named_t) |
132 | ||
15722ec9 | 133 | domain_use_interactive_fds(named_t) |
d83fdad2 CP |
134 | |
135 | files_read_etc_files(named_t) | |
136 | files_read_etc_runtime_files(named_t) | |
137 | ||
f4878275 CP |
138 | fs_getattr_all_fs(named_t) |
139 | fs_search_auto_mountpoints(named_t) | |
140 | ||
bc01b352 CP |
141 | auth_use_nsswitch(named_t) |
142 | ||
d83fdad2 CP |
143 | logging_send_syslog_msg(named_t) |
144 | ||
145 | miscfiles_read_localization(named_t) | |
87eb5c84 | 146 | miscfiles_read_certs(named_t) |
d83fdad2 | 147 | |
15722ec9 | 148 | userdom_dontaudit_use_unpriv_user_fds(named_t) |
296273a7 | 149 | userdom_dontaudit_search_user_home_dirs(named_t) |
d83fdad2 | 150 | |
6f81e1d3 | 151 | tunable_policy(`named_write_master_zones',` |
0bfccda4 | 152 | manage_dirs_pattern(named_t, named_zone_t, named_zone_t) |
3f67f722 | 153 | manage_files_pattern(named_t, named_zone_t, named_zone_t) |
0bfccda4 | 154 | manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) |
6f81e1d3 CP |
155 | ') |
156 | ||
bb7170f6 | 157 | optional_policy(` |
6f81e1d3 CP |
158 | init_dbus_chat_script(named_t) |
159 | ||
160 | sysnet_dbus_chat_dhcpc(named_t) | |
d8636fc9 | 161 | |
296273a7 | 162 | dbus_system_bus_client(named_t) |
d8636fc9 | 163 | dbus_connect_system_bus(named_t) |
6f81e1d3 | 164 | |
bb7170f6 | 165 | optional_policy(` |
6f81e1d3 CP |
166 | networkmanager_dbus_chat(named_t) |
167 | ') | |
168 | ') | |
169 | ||
bc01b352 | 170 | optional_policy(` |
ce6fee65 | 171 | kerberos_keytab_template(named, named_t) |
bc01b352 CP |
172 | ') |
173 | ||
bb7170f6 | 174 | optional_policy(` |
6f81e1d3 | 175 | # this seems like fds that arent being |
ff8f0a63 | 176 | # closed. these should probably be |
6f81e1d3 | 177 | # dontaudits instead. |
1815bad1 CP |
178 | networkmanager_rw_udp_sockets(named_t) |
179 | networkmanager_rw_packet_sockets(named_t) | |
180 | networkmanager_rw_routing_sockets(named_t) | |
d8636fc9 CP |
181 | ') |
182 | ||
bb7170f6 | 183 | optional_policy(` |
d83fdad2 CP |
184 | seutil_sigchld_newrole(named_t) |
185 | ') | |
186 | ||
bb7170f6 | 187 | optional_policy(` |
d83fdad2 CP |
188 | udev_read_db(named_t) |
189 | ') | |
190 | ||
191 | ######################################## | |
192 | # | |
193 | # NDC local policy | |
194 | # | |
195 | ||
196 | # cjp: why net_admin?! | |
197 | allow ndc_t self:capability { dac_override net_admin }; | |
198 | allow ndc_t self:process { fork signal_perms }; | |
0b36a214 | 199 | allow ndc_t self:fifo_file rw_fifo_file_perms; |
d83fdad2 CP |
200 | allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; |
201 | allow ndc_t self:tcp_socket create_socket_perms; | |
202 | allow ndc_t self:netlink_route_socket r_netlink_socket_perms; | |
203 | ||
0b36a214 | 204 | allow ndc_t dnssec_t:file read_file_perms; |
a5e2133b | 205 | allow ndc_t dnssec_t:lnk_file { getattr read }; |
d83fdad2 | 206 | |
0b36a214 | 207 | stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) |
d83fdad2 | 208 | |
0b36a214 | 209 | allow ndc_t named_conf_t:file read_file_perms; |
693d4aed | 210 | allow ndc_t named_conf_t:lnk_file { getattr read }; |
d83fdad2 | 211 | |
0b36a214 | 212 | allow ndc_t named_zone_t:dir search_dir_perms; |
d83fdad2 | 213 | |
445522dc | 214 | kernel_read_kernel_sysctls(ndc_t) |
d83fdad2 | 215 | |
19006686 CP |
216 | corenet_all_recvfrom_unlabeled(ndc_t) |
217 | corenet_all_recvfrom_netlabel(ndc_t) | |
668b3093 | 218 | corenet_tcp_sendrecv_generic_if(ndc_t) |
c1262146 | 219 | corenet_tcp_sendrecv_generic_node(ndc_t) |
d83fdad2 | 220 | corenet_tcp_sendrecv_all_ports(ndc_t) |
c1262146 | 221 | corenet_tcp_bind_generic_node(ndc_t) |
98a8ead4 | 222 | corenet_tcp_connect_rndc_port(ndc_t) |
006e9982 | 223 | corenet_sendrecv_rndc_client_packets(ndc_t) |
d83fdad2 | 224 | |
15722ec9 | 225 | domain_use_interactive_fds(ndc_t) |
d83fdad2 CP |
226 | |
227 | files_read_etc_files(ndc_t) | |
228 | files_search_pids(ndc_t) | |
229 | ||
f4878275 CP |
230 | fs_getattr_xattr_fs(ndc_t) |
231 | ||
1c1ac67f | 232 | init_use_fds(ndc_t) |
1815bad1 | 233 | init_use_script_ptys(ndc_t) |
d83fdad2 | 234 | |
d83fdad2 CP |
235 | logging_send_syslog_msg(ndc_t) |
236 | ||
237 | miscfiles_read_localization(ndc_t) | |
238 | ||
239 | sysnet_read_config(ndc_t) | |
98a8ead4 | 240 | sysnet_dns_name_resolve(ndc_t) |
d83fdad2 | 241 | |
296273a7 CP |
242 | userdom_use_user_terminals(ndc_t) |
243 | ||
5843d066 CP |
244 | term_dontaudit_use_console(ndc_t) |
245 | ||
d83fdad2 CP |
246 | # for /etc/rndc.key |
247 | ifdef(`distro_redhat',` | |
248 | allow ndc_t named_conf_t:dir search; | |
249 | ') | |
250 | ||
bb7170f6 | 251 | optional_policy(` |
d83fdad2 CP |
252 | nis_use_ypbind(ndc_t) |
253 | ') | |
254 | ||
bb7170f6 | 255 | optional_policy(` |
1815bad1 | 256 | nscd_socket_use(ndc_t) |
d83fdad2 | 257 | ') |
239db5e2 | 258 | |
bb7170f6 | 259 | optional_policy(` |
1c1ac67f | 260 | ppp_dontaudit_use_fds(ndc_t) |
725926c5 | 261 | ') |