selinux-policy/refpolicy/policy/modules/services/bind.if

145 lines
3.0 KiB
Plaintext
Raw Normal View History

2005-08-23 17:26:19 +00:00
## <summary>Berkeley internet name domain DNS server.</summary>
########################################
## <summary>
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bind_domtrans_ndc',`
gen_require(`
type ndc_t, ndc_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,ndc_exec_t,ndc_t)
allow $1 ndc_t:fd use;
allow ndc_t $1:fd use;
allow ndc_t $1:fifo_file rw_file_perms;
allow ndc_t $1:process sigchld;
')
########################################
## <summary>
## Execute ndc in the ndc domain, and
## allow the specified role the ndc domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the bind domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the bind domain to use.
## </param>
#
interface(`bind_run_ndc',`
gen_require(`
type ndc_t;
class chr_file rw_term_perms;
')
bind_domtrans_ndc($1)
role $2 types ndc_t;
allow ndc_t $3:chr_file rw_term_perms;
')
2005-09-02 14:52:08 +00:00
########################################
## <summary>
## Read DNSSEC keys.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`bind_read_dnssec_keys',`
gen_require(`
type named_conf_t, named_zone_t, dnssec_t;
class dir search;
class file { getattr read };
')
allow $1 { named_conf_t named_zone_t }:dir search;
allow $1 dnssec_t:file { getattr read };
')
2005-08-23 17:26:19 +00:00
########################################
## <summary>
## Read BIND named configuration files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`bind_read_config',`
gen_require(`
type named_conf_t;
class dir search;
class file { getattr read };
')
allow $1 named_conf_t:dir search;
allow $1 named_conf_t:file { getattr read };
')
########################################
## <summary>
## Write BIND named configuration files.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`bind_write_config',`
gen_require(`
type named_conf_t;
class dir search;
class file { write setattr };
')
allow $1 named_conf_t:dir search;
allow $1 named_conf_t:file { write setattr };
')
2005-09-15 21:03:29 +00:00
########################################
## <summary>
## Create, read, write, and delete
## BIND configuration directories.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`bind_manage_config_dir',`
gen_require(`
type named_conf_t;
class dir perms;
')
allow $1 named_conf_t:dir create_dir_perms;
')
2005-08-23 17:26:19 +00:00
########################################
## <summary>
## Do not audit attempts to set the attributes
## of the BIND pid directory.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`bind_setattr_pid_dir',`
gen_require(`
type named_var_run_t;
class dir setattr;
')
allow $1 named_var_run_t:dir setattr;
')