187 lines
5.6 KiB
Plaintext
187 lines
5.6 KiB
Plaintext
|
#DESC BIND - Name server
|
||
|
#
|
||
|
# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
|
||
|
# Russell Coker
|
||
|
# X-Debian-Packages: bind bind9
|
||
|
#
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the named_t domain.
|
||
|
#
|
||
|
|
||
|
daemon_domain(named, `, nscd_client_domain')
|
||
|
tmp_domain(named)
|
||
|
|
||
|
type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
|
||
|
domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
|
||
|
|
||
|
# For /var/run/ndc used in BIND 8
|
||
|
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
|
||
|
|
||
|
# ndc_t is the domain for the ndc program
|
||
|
type ndc_t, domain, privlog, nscd_client_domain;
|
||
|
role sysadm_r types ndc_t;
|
||
|
role system_r types ndc_t;
|
||
|
|
||
|
ifdef(`targeted_policy', `
|
||
|
dontaudit ndc_t root_t:file { getattr read };
|
||
|
dontaudit ndc_t unlabeled_t:file { getattr read };
|
||
|
')
|
||
|
|
||
|
can_exec(named_t, named_exec_t)
|
||
|
allow named_t sbin_t:dir search;
|
||
|
|
||
|
allow named_t self:process { setsched setcap setrlimit };
|
||
|
|
||
|
# A type for configuration files of named.
|
||
|
type named_conf_t, file_type, sysadmfile, mount_point;
|
||
|
|
||
|
# for primary zone files
|
||
|
type named_zone_t, file_type, sysadmfile;
|
||
|
|
||
|
# for secondary zone files
|
||
|
type named_cache_t, file_type, sysadmfile;
|
||
|
|
||
|
# for DNSSEC key files
|
||
|
type dnssec_t, file_type, sysadmfile, secure_file_type;
|
||
|
allow { ndc_t named_t } dnssec_t:file { getattr read };
|
||
|
|
||
|
# Use capabilities. Surplus capabilities may be allowed.
|
||
|
allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
|
||
|
|
||
|
allow named_t etc_t:file { getattr read };
|
||
|
allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
|
||
|
|
||
|
#Named can use network
|
||
|
can_network(named_t)
|
||
|
allow named_t port_type:tcp_socket name_connect;
|
||
|
can_ypbind(named_t)
|
||
|
# allow UDP transfer to/from any program
|
||
|
can_udp_send(domain, named_t)
|
||
|
can_udp_send(named_t, domain)
|
||
|
can_tcp_connect(domain, named_t)
|
||
|
log_domain(named)
|
||
|
|
||
|
# Bind to the named port.
|
||
|
allow named_t dns_port_t:udp_socket name_bind;
|
||
|
allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
|
||
|
|
||
|
bool named_write_master_zones false;
|
||
|
|
||
|
#read configuration files
|
||
|
r_dir_file(named_t, named_conf_t)
|
||
|
|
||
|
if (named_write_master_zones) {
|
||
|
#create and modify zone files
|
||
|
create_dir_file(named_t, named_zone_t)
|
||
|
}
|
||
|
#read zone files
|
||
|
r_dir_file(named_t, named_zone_t)
|
||
|
|
||
|
#write cache for secondary zones
|
||
|
rw_dir_create_file(named_t, named_cache_t)
|
||
|
|
||
|
allow named_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow named_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow named_t self:netlink_route_socket r_netlink_socket_perms;
|
||
|
|
||
|
# Read sysctl kernel variables.
|
||
|
read_sysctl(named_t)
|
||
|
|
||
|
# Read /proc/cpuinfo and /proc/net
|
||
|
r_dir_file(named_t, proc_t)
|
||
|
r_dir_file(named_t, proc_net_t)
|
||
|
|
||
|
# Read /dev/random.
|
||
|
allow named_t device_t:dir r_dir_perms;
|
||
|
allow named_t random_device_t:chr_file r_file_perms;
|
||
|
|
||
|
# Use a pipe created by self.
|
||
|
allow named_t self:fifo_file rw_file_perms;
|
||
|
|
||
|
# Enable named dbus support:
|
||
|
ifdef(`dbusd.te', `
|
||
|
dbusd_client(system, named)
|
||
|
domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
|
||
|
allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
|
||
|
allow named_t self:dbus send_msg;
|
||
|
allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
|
||
|
allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
|
||
|
ifdef(`unconfined.te', `
|
||
|
allow unconfined_t named_t:dbus send_msg;
|
||
|
allow named_t unconfined_t:dbus send_msg;
|
||
|
')
|
||
|
')
|
||
|
|
||
|
|
||
|
# Set own capabilities.
|
||
|
#A type for /usr/sbin/ndc
|
||
|
type ndc_exec_t, file_type,sysadmfile, exec_type;
|
||
|
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
|
||
|
uses_shlib(ndc_t)
|
||
|
can_network_client_tcp(ndc_t)
|
||
|
allow ndc_t rndc_port_t:tcp_socket name_connect;
|
||
|
can_ypbind(ndc_t)
|
||
|
can_resolve(ndc_t)
|
||
|
read_locale(ndc_t)
|
||
|
can_tcp_connect(ndc_t, named_t)
|
||
|
|
||
|
ifdef(`distro_redhat', `
|
||
|
# for /etc/rndc.key
|
||
|
allow { ndc_t initrc_t } named_conf_t:dir search;
|
||
|
# Allow init script to cp localtime to named_conf_t
|
||
|
allow initrc_t named_conf_t:file { setattr write };
|
||
|
allow initrc_t named_conf_t:dir create_dir_perms;
|
||
|
allow initrc_t var_run_t:lnk_file create_file_perms;
|
||
|
ifdef(`automount.te', `
|
||
|
# automount has no need to search the /proc file system for the named chroot
|
||
|
dontaudit automount_t named_zone_t:dir search;
|
||
|
')dnl end ifdef automount.te
|
||
|
')dnl end ifdef distro_redhat
|
||
|
|
||
|
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
|
||
|
|
||
|
allow ndc_t etc_t:dir r_dir_perms;
|
||
|
allow ndc_t etc_t:file r_file_perms;
|
||
|
allow ndc_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow ndc_t self:unix_stream_socket connect;
|
||
|
allow ndc_t self:capability { dac_override net_admin };
|
||
|
allow ndc_t var_t:dir search;
|
||
|
allow ndc_t var_run_t:dir search;
|
||
|
allow ndc_t named_var_run_t:sock_file rw_file_perms;
|
||
|
allow ndc_t named_t:unix_stream_socket connectto;
|
||
|
allow ndc_t { privfd init_t }:fd use;
|
||
|
# seems to need read as well for some reason
|
||
|
allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
|
||
|
allow ndc_t fs_t:filesystem getattr;
|
||
|
|
||
|
# Read sysctl kernel variables.
|
||
|
read_sysctl(ndc_t)
|
||
|
|
||
|
allow ndc_t self:process { fork signal_perms };
|
||
|
allow ndc_t self:fifo_file { read write getattr ioctl };
|
||
|
allow ndc_t named_zone_t:dir search;
|
||
|
|
||
|
# for chmod in start script
|
||
|
dontaudit initrc_t named_var_run_t:dir setattr;
|
||
|
|
||
|
# for ndc_t to be used for restart shell scripts
|
||
|
ifdef(`ndc_shell_script', `
|
||
|
system_crond_entry(ndc_exec_t, ndc_t)
|
||
|
allow ndc_t devtty_t:chr_file { read write ioctl };
|
||
|
allow ndc_t etc_runtime_t:file { getattr read };
|
||
|
allow ndc_t proc_t:dir search;
|
||
|
allow ndc_t proc_t:file { getattr read };
|
||
|
can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
|
||
|
allow ndc_t named_var_run_t:file getattr;
|
||
|
allow ndc_t named_zone_t:dir { read getattr };
|
||
|
allow ndc_t named_zone_t:file getattr;
|
||
|
dontaudit ndc_t sysadm_home_t:dir { getattr search read };
|
||
|
')
|
||
|
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
|
||
|
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
|
||
|
|
||
|
|