103 lines
3.3 KiB
Plaintext
103 lines
3.3 KiB
Plaintext
|
#DESC Authoritative only name server
|
||
|
#
|
||
|
# Author: Russell Coker
|
||
|
# X-Debian-Packages: nsd
|
||
|
#
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the nsd_t domain.
|
||
|
#
|
||
|
|
||
|
daemon_domain(nsd)
|
||
|
|
||
|
# a type for nsd.db
|
||
|
type nsd_db_t, file_type, sysadmfile;
|
||
|
|
||
|
# for zone update cron job
|
||
|
type nsd_crond_t, domain, privlog;
|
||
|
role system_r types nsd_crond_t;
|
||
|
uses_shlib(nsd_crond_t)
|
||
|
can_network_client(nsd_crond_t)
|
||
|
allow nsd_crond_t port_type:tcp_socket name_connect;
|
||
|
can_ypbind(nsd_crond_t)
|
||
|
allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow nsd_crond_t self:process { fork signal_perms };
|
||
|
system_crond_entry(nsd_exec_t, nsd_crond_t)
|
||
|
allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
|
||
|
allow nsd_crond_t proc_t:lnk_file { getattr read };
|
||
|
allow nsd_crond_t { bin_t sbin_t }:dir search;
|
||
|
can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
|
||
|
allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
|
||
|
allow nsd_crond_t bin_t:lnk_file read;
|
||
|
read_locale(nsd_crond_t)
|
||
|
allow nsd_crond_t self:fifo_file rw_file_perms;
|
||
|
# kill capability for root cron job and non-root daemon
|
||
|
allow nsd_crond_t self:capability { dac_override kill };
|
||
|
allow nsd_crond_t nsd_t:process signal;
|
||
|
dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
|
||
|
dontaudit nsd_crond_t self:capability sys_nice;
|
||
|
dontaudit nsd_crond_t domain:dir search;
|
||
|
allow nsd_crond_t self:process setsched;
|
||
|
can_ps(nsd_crond_t, nsd_t)
|
||
|
|
||
|
file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
|
||
|
file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
|
||
|
allow nsd_crond_t var_lib_t:dir search;
|
||
|
|
||
|
allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
|
||
|
allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
|
||
|
allow nsd_crond_t proc_t:dir r_dir_perms;
|
||
|
allow nsd_crond_t device_t:dir search;
|
||
|
allow nsd_crond_t devtty_t:chr_file rw_file_perms;
|
||
|
allow nsd_crond_t etc_t:file { getattr read };
|
||
|
allow nsd_crond_t etc_t:lnk_file read;
|
||
|
allow nsd_crond_t { var_t var_run_t }:dir search;
|
||
|
allow nsd_crond_t nsd_var_run_t:file { getattr read };
|
||
|
|
||
|
# for SSP
|
||
|
allow nsd_crond_t urandom_device_t:chr_file read;
|
||
|
|
||
|
# A type for configuration files of nsd
|
||
|
type nsd_conf_t, file_type, sysadmfile;
|
||
|
# A type for zone files
|
||
|
type nsd_zone_t, file_type, sysadmfile;
|
||
|
|
||
|
r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t })
|
||
|
# zone files may be in /var/lib/nsd
|
||
|
allow nsd_t var_lib_t:dir search;
|
||
|
r_dir_file(initrc_t, nsd_conf_t)
|
||
|
allow nsd_t etc_runtime_t:file { getattr read };
|
||
|
allow nsd_t proc_t:file { getattr read };
|
||
|
allow nsd_t { sbin_t bin_t }:dir search;
|
||
|
can_exec(nsd_t, { nsd_exec_t bin_t })
|
||
|
|
||
|
# Use capabilities. chown is for chowning /var/run/nsd.pid
|
||
|
allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };
|
||
|
|
||
|
allow nsd_t etc_t:{ file lnk_file } { getattr read };
|
||
|
|
||
|
# nsd can use network
|
||
|
can_network_server(nsd_t)
|
||
|
can_ypbind(nsd_t)
|
||
|
# allow client access from caching BIND
|
||
|
ifdef(`named.te', `
|
||
|
can_udp_send(named_t, nsd_t)
|
||
|
can_udp_send(nsd_t, named_t)
|
||
|
can_tcp_connect(named_t, nsd_t)
|
||
|
')
|
||
|
|
||
|
# if you want to allow all programs to contact the primary name server
|
||
|
#can_udp_send(domain, nsd_t)
|
||
|
#can_udp_send(nsd_t, domain)
|
||
|
#can_tcp_connect(domain, nsd_t)
|
||
|
|
||
|
# Bind to the named port.
|
||
|
allow nsd_t dns_port_t:udp_socket name_bind;
|
||
|
allow nsd_t dns_port_t:tcp_socket name_bind;
|
||
|
|
||
|
allow nsd_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow nsd_t self:unix_dgram_socket create_socket_perms;
|
||
|
|