psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   5493c2036b65967d23d9ef48f2a20ed9b4826ebf
  2.   strict
  3.   domains
  4.   program
  5.   named.te
Blob Blame History Raw 
#DESC BIND - Name server
#
# Authors:  Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
#           Russell Coker
# X-Debian-Packages: bind bind9
# 
#

#################################
#
# Rules for the named_t domain.
#

daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)

type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)

# For /var/run/ndc used in BIND 8
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)

# ndc_t is the domain for the ndc program
type ndc_t, domain, privlog, nscd_client_domain;
role sysadm_r types ndc_t;
role system_r types ndc_t;

ifdef(`targeted_policy', `
dontaudit ndc_t root_t:file { getattr read };
dontaudit ndc_t unlabeled_t:file { getattr read };	
')

can_exec(named_t, named_exec_t)
allow named_t sbin_t:dir search;

allow named_t self:process { setsched setcap setrlimit };

# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile;

# for primary zone files
type named_zone_t, file_type, sysadmfile;

# for secondary zone files
type named_cache_t, file_type, sysadmfile;

# for DNSSEC key files
type dnssec_t, file_type, sysadmfile, secure_file_type;
allow { ndc_t named_t } dnssec_t:file { getattr read };

# Use capabilities. Surplus capabilities may be allowed.
allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };

allow named_t etc_t:file { getattr read };
allow named_t etc_runtime_t:{ file lnk_file } { getattr read };

#Named can use network
can_network(named_t)
allow named_t port_type:tcp_socket name_connect;
can_ypbind(named_t)
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
log_domain(named)

# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;

bool named_write_master_zones false;

#read configuration files
r_dir_file(named_t, named_conf_t)

if (named_write_master_zones) {
#create and modify zone files
create_dir_file(named_t, named_zone_t)
}
#read zone files
r_dir_file(named_t, named_zone_t)

#write cache for secondary zones
rw_dir_create_file(named_t, named_cache_t)

allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:netlink_route_socket r_netlink_socket_perms;

# Read sysctl kernel variables.
read_sysctl(named_t)

# Read /proc/cpuinfo and /proc/net
r_dir_file(named_t, proc_t)
r_dir_file(named_t, proc_net_t)

# Read /dev/random.
allow named_t device_t:dir r_dir_perms;
allow named_t random_device_t:chr_file r_file_perms;

# Use a pipe created by self.
allow named_t self:fifo_file rw_file_perms;

# Set own capabilities.
#A type for /usr/sbin/ndc
type ndc_exec_t, file_type,sysadmfile, exec_type;
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
can_tcp_connect(ndc_t, named_t)

# for /etc/rndc.key
ifdef(`distro_redhat', `
allow { ndc_t initrc_t } named_conf_t:dir search;
# Allow init script to cp localtime to named_conf_t
allow initrc_t named_conf_t:file { setattr write };
allow initrc_t named_conf_t:dir create_dir_perms;
')
allow { ndc_t initrc_t } named_conf_t:file { getattr read };

allow ndc_t etc_t:dir r_dir_perms;
allow ndc_t etc_t:file r_file_perms;
allow ndc_t self:unix_stream_socket create_stream_socket_perms;
allow ndc_t self:unix_stream_socket connect;
allow ndc_t self:capability { dac_override net_admin };
allow ndc_t var_t:dir search;
allow ndc_t var_run_t:dir search;
allow ndc_t named_var_run_t:sock_file rw_file_perms;
allow ndc_t named_t:unix_stream_socket connectto;
allow ndc_t { privfd init_t }:fd use;
# seems to need read as well for some reason
allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
allow ndc_t fs_t:filesystem getattr;

# Read sysctl kernel variables.
read_sysctl(ndc_t)

allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file { read write getattr ioctl };
allow ndc_t named_zone_t:dir search;

# for chmod in start script
dontaudit initrc_t named_var_run_t:dir setattr;

# for ndc_t to be used for restart shell scripts
ifdef(`ndc_shell_script', `
system_crond_entry(ndc_exec_t, ndc_t)
allow ndc_t devtty_t:chr_file { read write ioctl };
allow ndc_t etc_runtime_t:file { getattr read };
allow ndc_t proc_t:dir search;
allow ndc_t proc_t:file { getattr read };
can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
allow ndc_t named_var_run_t:file getattr;
allow ndc_t named_zone_t:dir { read getattr };
allow ndc_t named_zone_t:file getattr;
dontaudit ndc_t sysadm_home_t:dir { getattr search read };
')
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.