From dce4fd489162b92324f5f60202f319454b107981 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Fri, 17 Jan 2014 10:59:34 +0200 Subject: [PATCH] New policy and context files --- contrib/selinux/pdns.fc | 9 ++++++--- contrib/selinux/pdns.te | 26 ++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/contrib/selinux/pdns.fc b/contrib/selinux/pdns.fc index 4d7af1e4e0..f841623af8 100644 --- a/contrib/selinux/pdns.fc +++ b/contrib/selinux/pdns.fc @@ -1,6 +1,9 @@ /usr/sbin/pdns_server -- gen_context(system_u:object_r:named_exec_t,s0) -/etc/pdns/pdns\.conf -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/pdns(/.*)? -- gen_context(system_u:object_r:named_conf_t,s0) +/etc/pdns(/.*)? -d gen_context(system_u:object_r:named_conf_t,s0) /var/run/pdns\.controlsocket -s gen_context(system_u:object_r:named_var_run_t,s0) /var/run/pdns\.pid -- gen_context(system_u:object_r:named_var_run_t,s0) -/usr/bin/pdns_control -- gen_context(system_u:object_r:ndc_exec_t,s0) -/usr/bin/pdnssec -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/bin/pdns_control -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/bin/pdnssec -- gen_context(system_u:object_r:ndc_exec_t,s0) +/var/cache/pdns(/.*)? -- gen_context(system_u:object_r:named_cache_t,s0) +/var/cache/pdns(/.*)? -d gen_context(system_u:object_r:named_cache_t,s0) diff --git a/contrib/selinux/pdns.te b/contrib/selinux/pdns.te index 95960d7cc5..488b4a6eb0 100644 --- a/contrib/selinux/pdns.te +++ b/contrib/selinux/pdns.te @@ -1,7 +1,15 @@ -policy_module(pdns,0.9.0) +policy_module(pdns,0.9.5) require{ - type named_t; + type named_t; + type named_cache_t; + type named_conf_t; + type named_var_run_t; + type ndc_t; + type tmp_t; + class file { getattr unlink append read setattr write lock create rename link open }; + class sock_file { create read write unlink setattr getattr }; + class dir { add_name write read remove_name }; } #only needed if using the guardian @@ -14,3 +22,17 @@ mysql_stream_connect(named_t) #postgres backend: postgresql_stream_connect(named_t) + +#bind backend: +allow named_t named_cache_t:file { getattr unlink append read setattr write lock create rename link open }; +allow named_t named_cache_t:dir { add_name write read remove_name }; +allow named_t named_conf_t:file { read open }; +allow named_t named_var_run_t:file { getattr unlink append read setattr write lock create rename link open }; + +# other stuff +allow named_t var_run_t:sock_file { create read write unlink setattr getattr }; +allow ndc_t tmp_t:sock_file { create read write unlink setattr getattr }; +allow ndc_t tmp_t:file {getattr unlink append read setattr write lock create rename link open }; +allow ndc_t tmp_t:dir { add_name write read remove_name }; +allow ndc_t var_run_t:sock_file { create read write unlink }; +allow ndc_t named_conf_t:file { read open }; -- 2.47.3