+/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
interface(`bind_udp_chat_named',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an bind environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+ gen_require(`
+ type named_t, ndc_t;
+ ')
+
+ allow $1 named_t:process { ptrace signal_perms };
+ ps_process_pattern($1, named_t)
+
+ allow $1 ndc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ndc_t)
+
+ bind_run_ndc($1, $2, $3)
+')
-policy_module(bind, 1.7.1)
+policy_module(bind, 1.7.2)
########################################
#
type named_cache_t;
files_type(named_cache_t)
+type named_initrc_exec_t;
+init_script_file(named_initrc_exec_t)
+
type named_log_t;
logging_log_file(named_log_t)
allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched setcap setrlimit signal_perms };
+allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_bind_all_nodes(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)