SElinux policy files.

git-svn-id: file:///svn/unbound/trunk@1379 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/contrib/README b/contrib/README
index ef5cbbf6ed71d225650a95e2ab68307830029009..20336050959acfa52ef59c0dba7ab28b63f3f8b0 100644 (file)
--- a/contrib/README
+++ b/contrib/README
@@ -8,3 +8,4 @@ distribution but may be helpful.
 * update-anchor.sh: shell script that uses unbound-host to update a set
        of trust anchor files. Run from cron twice a month.
 * unbound_munin_ : plugin for munin statistics report
+* selinux: the .fc and .te files for SElinux protection of the unbound daemon

diff --git a/contrib/selinux/unbound.fc b/contrib/selinux/unbound.fc
new file mode 100644 (file)
index 0000000..f7e63ea
--- /dev/null
+++ b/contrib/selinux/unbound.fc
@@ -0,0 +1,4 @@
+/etc/unbound(/.*)?                     system_u:object_r:unbound_conf_t:s0
+/etc/rc\.d/init\.d/unbound     --      system_u:object_r:unbound_initrc_exec_t:s0
+/usr/sbin/unbound              --      system_u:object_r:unbound_exec_t:s0
+/var/run/unbound(/.*)?                 system_u:object_r:unbound_var_run_t:s0

diff --git a/contrib/selinux/unbound.te b/contrib/selinux/unbound.te
new file mode 100644 (file)
index 0000000..d407ed3
--- /dev/null
+++ b/contrib/selinux/unbound.te
@@ -0,0 +1,42 @@
+policy_module(unbound, 0.1.0)
+
+type unbound_t;
+type unbound_conf_t;
+type unbound_exec_t;
+type unbound_initrc_exec_t;
+type unbound_var_run_t;
+
+init_daemon_domain(unbound_t, unbound_exec_t)
+init_script_file(unbound_initrc_exec_t)
+
+role system_r types unbound_t;
+
+# XXX
+# unbound-{checkconf,control} are not protected. Do we need protect them?
+
+# Unbound daemon
+
+auth_use_nsswitch(unbound_t)
+dev_read_urand(unbound_t)
+corenet_all_recvfrom_unlabeled(unbound_t)
+corenet_tcp_bind_all_nodes(unbound_t)
+corenet_tcp_bind_dns_port(unbound_t)
+corenet_tcp_bind_rndc_port(unbound_t)
+corenet_udp_bind_all_nodes(unbound_t)
+corenet_udp_bind_all_unreserved_ports(unbound_t)
+corenet_udp_bind_dns_port(unbound_t)
+files_read_etc_files(unbound_t)
+files_pid_file(unbound_var_run_t)
+files_type(unbound_conf_t)
+libs_use_ld_so(unbound_t)
+libs_use_shared_libs(unbound_t)
+logging_send_syslog_msg(unbound_t)
+manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t)
+miscfiles_read_localization(unbound_t)
+read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t)
+
+allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override };
+allow unbound_t self:tcp_socket create_stream_socket_perms;
+allow unbound_t self:udp_socket create_socket_perms;
+
+###################################################

diff --git a/doc/Changelog b/doc/Changelog
index 476f1459e12db8c26b2f05e0ec95aed68428a5a9..7a0e74aabe6e07cea1b5a46df798ff396f9d483c 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+1 December 2008: Wouter
+       - SElinux policy files in contrib/selinux for the unbound daemon,
+         by Paul Wouters and Adam Tkac.
+
 25 November 2008: Wouter
        - configure complains when --without-ssl is given (bug #220).
        - skip unsupported feature tests on vista/mingw.