[people/stevee/selinux-policy.git] / policy / modules / services / bind.te


policy_module(bind, 1.11.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow BIND to write the master zone files.
## Generally this is used for dynamic DNS or zone transfers.
## </p>
## </desc>
gen_tunable(named_write_master_zones, false)

# for DNSSEC key files
type dnssec_t;
files_security_file(dnssec_t)

type named_t;
type named_exec_t;
init_daemon_domain(named_t, named_exec_t)
role system_r types named_t;

type named_checkconf_exec_t;
init_system_domain(named_t, named_checkconf_exec_t)

# A type for configuration files of named.
type named_conf_t;
files_type(named_conf_t)
files_mountpoint(named_conf_t)

# for secondary zone files
type named_cache_t;
files_type(named_cache_t)

type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)

type named_log_t;
logging_log_file(named_log_t)

type named_tmp_t;
files_tmp_file(named_tmp_t)

type named_var_run_t;
files_pid_file(named_var_run_t)

# for primary zone files
type named_zone_t;
files_type(named_zone_t)

type ndc_t;
type ndc_exec_t;
init_system_domain(ndc_t, ndc_exec_t)
role system_r types ndc_t;

########################################
#
# Named local policy
#

allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:tcp_socket create_stream_socket_perms;
allow named_t self:udp_socket create_socket_perms;

allow named_t dnssec_t:file read_file_perms;

# read configuration
allow named_t named_conf_t:dir list_dir_perms;
read_files_pattern(named_t, named_conf_t, named_conf_t)
read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)

# write cache for secondary zones
manage_files_pattern(named_t, named_cache_t, named_cache_t)
manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)

can_exec(named_t, named_exec_t)

manage_files_pattern(named_t, named_log_t, named_log_t)
logging_log_filetrans(named_t, named_log_t, { file dir })

manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })

manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
files_pid_filetrans(named_t, named_var_run_t, { file sock_file })

# read zone files
allow named_t named_zone_t:dir list_dir_perms;
read_files_pattern(named_t, named_zone_t, named_zone_t)
read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)

kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)

corecmd_search_bin(named_t)

corenet_all_recvfrom_unlabeled(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_generic_if(named_t)
corenet_udp_sendrecv_generic_if(named_t)
corenet_tcp_sendrecv_generic_node(named_t)
corenet_udp_sendrecv_generic_node(named_t)
corenet_tcp_sendrecv_all_ports(named_t)
corenet_udp_sendrecv_all_ports(named_t)
corenet_tcp_bind_generic_node(named_t)
corenet_udp_bind_generic_node(named_t)
corenet_tcp_bind_dns_port(named_t)
corenet_udp_bind_dns_port(named_t)
corenet_tcp_bind_rndc_port(named_t)
corenet_tcp_connect_all_ports(named_t)
corenet_sendrecv_dns_server_packets(named_t)
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
corenet_udp_bind_all_unreserved_ports(named_t)

dev_read_sysfs(named_t)
dev_read_rand(named_t)
dev_read_urand(named_t)

domain_use_interactive_fds(named_t)

files_read_etc_files(named_t)
files_read_etc_runtime_files(named_t)

fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)

auth_use_nsswitch(named_t)

logging_send_syslog_msg(named_t)

miscfiles_read_localization(named_t)
miscfiles_read_certs(named_t)

userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)

tunable_policy(`named_write_master_zones',`
	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
	manage_files_pattern(named_t, named_zone_t, named_zone_t)
	manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
')

optional_policy(`
	init_dbus_chat_script(named_t)

	sysnet_dbus_chat_dhcpc(named_t)

	dbus_system_bus_client(named_t)
	dbus_connect_system_bus(named_t)

	optional_policy(`
		networkmanager_dbus_chat(named_t)
	')
')

optional_policy(`
	kerberos_keytab_template(named, named_t)
')

optional_policy(`
	# this seems like fds that arent being
	# closed. these should probably be
	# dontaudits instead.
	networkmanager_rw_udp_sockets(named_t)
	networkmanager_rw_packet_sockets(named_t)
	networkmanager_rw_routing_sockets(named_t)
')

optional_policy(`
	seutil_sigchld_newrole(named_t)
')

optional_policy(`
	udev_read_db(named_t)
')

########################################
#
# NDC local policy
#

# cjp: why net_admin?!
allow ndc_t self:capability { dac_override net_admin };
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;

allow ndc_t dnssec_t:file read_file_perms;
allow ndc_t dnssec_t:lnk_file { getattr read };

stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)

allow ndc_t named_conf_t:file read_file_perms;
allow ndc_t named_conf_t:lnk_file { getattr read };

allow ndc_t named_zone_t:dir search_dir_perms;

kernel_read_kernel_sysctls(ndc_t)

corenet_all_recvfrom_unlabeled(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)

domain_use_interactive_fds(ndc_t)

files_read_etc_files(ndc_t)
files_search_pids(ndc_t)

fs_getattr_xattr_fs(ndc_t)

init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)

logging_send_syslog_msg(ndc_t)

miscfiles_read_localization(ndc_t)

sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)

userdom_use_user_terminals(ndc_t)

term_dontaudit_use_console(ndc_t)

# for /etc/rndc.key
ifdef(`distro_redhat',`
	allow ndc_t named_conf_t:dir search;
')

optional_policy(`
	nis_use_ypbind(ndc_t)
')

optional_policy(`
	nscd_socket_use(ndc_t)
')

optional_policy(`
	ppp_dontaudit_use_fds(ndc_t)
')
Commit	Line	Data
d83fdad2	1
29af4c13	2	policy_module(bind, 1.11.0)
d83fdad2 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Allow BIND to write the master zone files.
dd9e1de3	12	## Generally this is used for dynamic DNS or zone transfers.
56e1b3d2 CP	13	## </p>
56e1b3d2 CP	14	## </desc>
0bfccda4	15	gen_tunable(named_write_master_zones, false)
56e1b3d2	16
d83fdad2	17	# for DNSSEC key files
a2868f6e CP	18	type dnssec_t;
a2868f6e CP	19	files_security_file(dnssec_t)
d83fdad2 CP	20
	21	type named_t;
	22	type named_exec_t;
0bfccda4	23	init_daemon_domain(named_t, named_exec_t)
d83fdad2 CP	24	role system_r types named_t;
d83fdad2 CP	25
98a8ead4	26	type named_checkconf_exec_t;
0bfccda4	27	init_system_domain(named_t, named_checkconf_exec_t)
98a8ead4	28
d83fdad2 CP	29	# A type for configuration files of named.
	30	type named_conf_t;
	31	files_type(named_conf_t)
d8636fc9	32	files_mountpoint(named_conf_t)
d83fdad2 CP	33
	34	# for secondary zone files
	35	type named_cache_t;
	36	files_type(named_cache_t)
	37
f5394cc3 CP	38	type named_initrc_exec_t;
	39	init_script_file(named_initrc_exec_t)
	40
98a8ead4 CP	41	type named_log_t;
	42	logging_log_file(named_log_t)
	43
d83fdad2 CP	44	type named_tmp_t;
	45	files_tmp_file(named_tmp_t)
	46
	47	type named_var_run_t;
	48	files_pid_file(named_var_run_t)
	49
	50	# for primary zone files
	51	type named_zone_t;
	52	files_type(named_zone_t)
	53
	54	type ndc_t;
	55	type ndc_exec_t;
0bfccda4	56	init_system_domain(ndc_t, ndc_exec_t)
d83fdad2 CP	57	role system_r types ndc_t;
	58
	59	########################################
	60	#
	61	# Named local policy
	62	#
	63
	64	allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
	65	dontaudit named_t self:capability sys_tty_config;
f5394cc3	66	allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
c0868a7a	67	allow named_t self:fifo_file rw_fifo_file_perms;
d83fdad2 CP	68	allow named_t self:unix_stream_socket create_stream_socket_perms;
	69	allow named_t self:unix_dgram_socket create_socket_perms;
	70	allow named_t self:tcp_socket create_stream_socket_perms;
	71	allow named_t self:udp_socket create_socket_perms;
d83fdad2	72
0b36a214	73	allow named_t dnssec_t:file read_file_perms;
d83fdad2 CP	74
d83fdad2 CP	75	# read configuration
c0868a7a	76	allow named_t named_conf_t:dir list_dir_perms;
0bfccda4 CP	77	read_files_pattern(named_t, named_conf_t, named_conf_t)
0bfccda4 CP	78	read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
d83fdad2 CP	79
d83fdad2 CP	80	# write cache for secondary zones
0bfccda4 CP	81	manage_files_pattern(named_t, named_cache_t, named_cache_t)
0bfccda4 CP	82	manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
d83fdad2 CP	83
	84	can_exec(named_t, named_exec_t)
	85
0bfccda4 CP	86	manage_files_pattern(named_t, named_log_t, named_log_t)
0bfccda4 CP	87	logging_log_filetrans(named_t, named_log_t, { file dir })
98a8ead4	88
0bfccda4 CP	89	manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
0bfccda4 CP	90	manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
103fe280	91	files_tmp_filetrans(named_t, named_tmp_t, { file dir })
d83fdad2	92
0bfccda4 CP	93	manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
	94	manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
	95	files_pid_filetrans(named_t, named_var_run_t, { file sock_file })
d83fdad2 CP	96
d83fdad2 CP	97	# read zone files
c0868a7a	98	allow named_t named_zone_t:dir list_dir_perms;
0bfccda4 CP	99	read_files_pattern(named_t, named_zone_t, named_zone_t)
0bfccda4 CP	100	read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
d83fdad2	101
445522dc	102	kernel_read_kernel_sysctls(named_t)
d83fdad2 CP	103	kernel_read_system_state(named_t)
d83fdad2 CP	104	kernel_read_network_state(named_t)
d83fdad2	105
f4878275 CP	106	corecmd_search_bin(named_t)
f4878275 CP	107
19006686 CP	108	corenet_all_recvfrom_unlabeled(named_t)
19006686 CP	109	corenet_all_recvfrom_netlabel(named_t)
668b3093 CP	110	corenet_tcp_sendrecv_generic_if(named_t)
668b3093 CP	111	corenet_udp_sendrecv_generic_if(named_t)
c1262146 CP	112	corenet_tcp_sendrecv_generic_node(named_t)
c1262146 CP	113	corenet_udp_sendrecv_generic_node(named_t)
d83fdad2 CP	114	corenet_tcp_sendrecv_all_ports(named_t)
d83fdad2 CP	115	corenet_udp_sendrecv_all_ports(named_t)
c1262146 CP	116	corenet_tcp_bind_generic_node(named_t)
c1262146 CP	117	corenet_udp_bind_generic_node(named_t)
d83fdad2 CP	118	corenet_tcp_bind_dns_port(named_t)
d83fdad2 CP	119	corenet_udp_bind_dns_port(named_t)
98a8ead4 CP	120	corenet_tcp_bind_rndc_port(named_t)
98a8ead4 CP	121	corenet_tcp_connect_all_ports(named_t)
006e9982 CP	122	corenet_sendrecv_dns_server_packets(named_t)
	123	corenet_sendrecv_dns_client_packets(named_t)
	124	corenet_sendrecv_rndc_server_packets(named_t)
	125	corenet_sendrecv_rndc_client_packets(named_t)
ce6fee65	126	corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
bc01b352	127	corenet_udp_bind_all_unreserved_ports(named_t)
d83fdad2 CP	128
	129	dev_read_sysfs(named_t)
	130	dev_read_rand(named_t)
87eb5c84 CP	131	dev_read_urand(named_t)
87eb5c84 CP	132
15722ec9	133	domain_use_interactive_fds(named_t)
d83fdad2 CP	134
	135	files_read_etc_files(named_t)
	136	files_read_etc_runtime_files(named_t)
	137
f4878275 CP	138	fs_getattr_all_fs(named_t)
	139	fs_search_auto_mountpoints(named_t)
	140
bc01b352 CP	141	auth_use_nsswitch(named_t)
bc01b352 CP	142
d83fdad2 CP	143	logging_send_syslog_msg(named_t)
	144
	145	miscfiles_read_localization(named_t)
87eb5c84	146	miscfiles_read_certs(named_t)
d83fdad2	147
15722ec9	148	userdom_dontaudit_use_unpriv_user_fds(named_t)
296273a7	149	userdom_dontaudit_search_user_home_dirs(named_t)
d83fdad2	150
6f81e1d3	151	tunable_policy(`named_write_master_zones',`
0bfccda4	152	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
3f67f722	153	manage_files_pattern(named_t, named_zone_t, named_zone_t)
0bfccda4	154	manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
6f81e1d3 CP	155	')
6f81e1d3 CP	156
bb7170f6	157	optional_policy(`
6f81e1d3 CP	158	init_dbus_chat_script(named_t)
	159
	160	sysnet_dbus_chat_dhcpc(named_t)
d8636fc9	161
296273a7	162	dbus_system_bus_client(named_t)
d8636fc9	163	dbus_connect_system_bus(named_t)
6f81e1d3	164
bb7170f6	165	optional_policy(`
6f81e1d3 CP	166	networkmanager_dbus_chat(named_t)
	167	')
	168	')
	169
bc01b352	170	optional_policy(`
ce6fee65	171	kerberos_keytab_template(named, named_t)
bc01b352 CP	172	')
bc01b352 CP	173
bb7170f6	174	optional_policy(`
6f81e1d3	175	# this seems like fds that arent being
ff8f0a63	176	# closed. these should probably be
6f81e1d3	177	# dontaudits instead.
1815bad1 CP	178	networkmanager_rw_udp_sockets(named_t)
	179	networkmanager_rw_packet_sockets(named_t)
	180	networkmanager_rw_routing_sockets(named_t)
d8636fc9 CP	181	')
d8636fc9 CP	182
bb7170f6	183	optional_policy(`
d83fdad2 CP	184	seutil_sigchld_newrole(named_t)
	185	')
	186
bb7170f6	187	optional_policy(`
d83fdad2 CP	188	udev_read_db(named_t)
	189	')
	190
	191	########################################
	192	#
	193	# NDC local policy
	194	#
	195
	196	# cjp: why net_admin?!
	197	allow ndc_t self:capability { dac_override net_admin };
	198	allow ndc_t self:process { fork signal_perms };
0b36a214	199	allow ndc_t self:fifo_file rw_fifo_file_perms;
d83fdad2 CP	200	allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
	201	allow ndc_t self:tcp_socket create_socket_perms;
	202	allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
	203
0b36a214	204	allow ndc_t dnssec_t:file read_file_perms;
a5e2133b	205	allow ndc_t dnssec_t:lnk_file { getattr read };
d83fdad2	206
0b36a214	207	stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
d83fdad2	208
0b36a214	209	allow ndc_t named_conf_t:file read_file_perms;
693d4aed	210	allow ndc_t named_conf_t:lnk_file { getattr read };
d83fdad2	211
0b36a214	212	allow ndc_t named_zone_t:dir search_dir_perms;
d83fdad2	213
445522dc	214	kernel_read_kernel_sysctls(ndc_t)
d83fdad2	215
19006686 CP	216	corenet_all_recvfrom_unlabeled(ndc_t)
19006686 CP	217	corenet_all_recvfrom_netlabel(ndc_t)
668b3093	218	corenet_tcp_sendrecv_generic_if(ndc_t)
c1262146	219	corenet_tcp_sendrecv_generic_node(ndc_t)
d83fdad2	220	corenet_tcp_sendrecv_all_ports(ndc_t)
c1262146	221	corenet_tcp_bind_generic_node(ndc_t)
98a8ead4	222	corenet_tcp_connect_rndc_port(ndc_t)
006e9982	223	corenet_sendrecv_rndc_client_packets(ndc_t)
d83fdad2	224
15722ec9	225	domain_use_interactive_fds(ndc_t)
d83fdad2 CP	226
	227	files_read_etc_files(ndc_t)
	228	files_search_pids(ndc_t)
	229
f4878275 CP	230	fs_getattr_xattr_fs(ndc_t)
f4878275 CP	231
1c1ac67f	232	init_use_fds(ndc_t)
1815bad1	233	init_use_script_ptys(ndc_t)
d83fdad2	234
d83fdad2 CP	235	logging_send_syslog_msg(ndc_t)
	236
	237	miscfiles_read_localization(ndc_t)
	238
	239	sysnet_read_config(ndc_t)
98a8ead4	240	sysnet_dns_name_resolve(ndc_t)
d83fdad2	241
296273a7 CP	242	userdom_use_user_terminals(ndc_t)
296273a7 CP	243
5843d066 CP	244	term_dontaudit_use_console(ndc_t)
5843d066 CP	245
d83fdad2 CP	246	# for /etc/rndc.key
	247	ifdef(`distro_redhat',`
	248	allow ndc_t named_conf_t:dir search;
	249	')
	250
bb7170f6	251	optional_policy(`
d83fdad2 CP	252	nis_use_ypbind(ndc_t)
	253	')
	254
bb7170f6	255	optional_policy(`
1815bad1	256	nscd_socket_use(ndc_t)
d83fdad2	257	')
239db5e2	258
bb7170f6	259	optional_policy(`
1c1ac67f	260	ppp_dontaudit_use_fds(ndc_t)
725926c5	261	')