selinux-policy/targeted/domains/program/named.te

187 lines
5.6 KiB
Plaintext
Raw Normal View History

2005-10-21 18:05:21 +00:00
#DESC BIND - Name server
#
# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
# Russell Coker
# X-Debian-Packages: bind bind9
#
#
#################################
#
# Rules for the named_t domain.
#
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
# For /var/run/ndc used in BIND 8
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
# ndc_t is the domain for the ndc program
type ndc_t, domain, privlog, nscd_client_domain;
role sysadm_r types ndc_t;
role system_r types ndc_t;
ifdef(`targeted_policy', `
dontaudit ndc_t root_t:file { getattr read };
dontaudit ndc_t unlabeled_t:file { getattr read };
')
can_exec(named_t, named_exec_t)
allow named_t sbin_t:dir search;
allow named_t self:process { setsched setcap setrlimit };
# A type for configuration files of named.
type named_conf_t, file_type, sysadmfile, mount_point;
# for primary zone files
type named_zone_t, file_type, sysadmfile;
# for secondary zone files
type named_cache_t, file_type, sysadmfile;
# for DNSSEC key files
type dnssec_t, file_type, sysadmfile, secure_file_type;
allow { ndc_t named_t } dnssec_t:file { getattr read };
# Use capabilities. Surplus capabilities may be allowed.
allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
allow named_t etc_t:file { getattr read };
allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
#Named can use network
can_network(named_t)
allow named_t port_type:tcp_socket name_connect;
can_ypbind(named_t)
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
can_tcp_connect(domain, named_t)
log_domain(named)
# Bind to the named port.
allow named_t dns_port_t:udp_socket name_bind;
allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
bool named_write_master_zones false;
#read configuration files
r_dir_file(named_t, named_conf_t)
if (named_write_master_zones) {
#create and modify zone files
create_dir_file(named_t, named_zone_t)
}
#read zone files
r_dir_file(named_t, named_zone_t)
#write cache for secondary zones
rw_dir_create_file(named_t, named_cache_t)
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
allow named_t self:netlink_route_socket r_netlink_socket_perms;
# Read sysctl kernel variables.
read_sysctl(named_t)
# Read /proc/cpuinfo and /proc/net
r_dir_file(named_t, proc_t)
r_dir_file(named_t, proc_net_t)
# Read /dev/random.
allow named_t device_t:dir r_dir_perms;
allow named_t random_device_t:chr_file r_file_perms;
# Use a pipe created by self.
allow named_t self:fifo_file rw_file_perms;
# Enable named dbus support:
ifdef(`dbusd.te', `
dbusd_client(system, named)
domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
allow named_t self:dbus send_msg;
allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
ifdef(`unconfined.te', `
allow unconfined_t named_t:dbus send_msg;
allow named_t unconfined_t:dbus send_msg;
')
')
# Set own capabilities.
#A type for /usr/sbin/ndc
type ndc_exec_t, file_type,sysadmfile, exec_type;
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
can_tcp_connect(ndc_t, named_t)
ifdef(`distro_redhat', `
# for /etc/rndc.key
allow { ndc_t initrc_t } named_conf_t:dir search;
# Allow init script to cp localtime to named_conf_t
allow initrc_t named_conf_t:file { setattr write };
allow initrc_t named_conf_t:dir create_dir_perms;
allow initrc_t var_run_t:lnk_file create_file_perms;
ifdef(`automount.te', `
# automount has no need to search the /proc file system for the named chroot
dontaudit automount_t named_zone_t:dir search;
')dnl end ifdef automount.te
')dnl end ifdef distro_redhat
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
allow ndc_t etc_t:dir r_dir_perms;
allow ndc_t etc_t:file r_file_perms;
allow ndc_t self:unix_stream_socket create_stream_socket_perms;
allow ndc_t self:unix_stream_socket connect;
allow ndc_t self:capability { dac_override net_admin };
allow ndc_t var_t:dir search;
allow ndc_t var_run_t:dir search;
allow ndc_t named_var_run_t:sock_file rw_file_perms;
allow ndc_t named_t:unix_stream_socket connectto;
allow ndc_t { privfd init_t }:fd use;
# seems to need read as well for some reason
allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
allow ndc_t fs_t:filesystem getattr;
# Read sysctl kernel variables.
read_sysctl(ndc_t)
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file { read write getattr ioctl };
allow ndc_t named_zone_t:dir search;
# for chmod in start script
dontaudit initrc_t named_var_run_t:dir setattr;
# for ndc_t to be used for restart shell scripts
ifdef(`ndc_shell_script', `
system_crond_entry(ndc_exec_t, ndc_t)
allow ndc_t devtty_t:chr_file { read write ioctl };
allow ndc_t etc_runtime_t:file { getattr read };
allow ndc_t proc_t:dir search;
allow ndc_t proc_t:file { getattr read };
can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
allow ndc_t named_var_run_t:file getattr;
allow ndc_t named_zone_t:dir { read getattr };
allow ndc_t named_zone_t:file getattr;
dontaudit ndc_t sysadm_home_t:dir { getattr search read };
')
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };