trunk: bind update from dan.

This commit is contained in:
Chris PeBenito 2008-09-15 17:02:57 +00:00
parent 48f6456344
commit f5394cc3cb
3 changed files with 33 additions and 2 deletions

View File

@ -1,3 +1,4 @@
/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)

View File

@ -254,3 +254,29 @@ interface(`bind_read_zone',`
interface(`bind_udp_chat_named',` interface(`bind_udp_chat_named',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
########################################
## <summary>
## All of the rules required to administrate
## an bind environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`bind_admin',`
gen_require(`
type named_t, ndc_t;
')
allow $1 named_t:process { ptrace signal_perms };
ps_process_pattern($1, named_t)
allow $1 ndc_t:process { ptrace signal_perms };
ps_process_pattern($1, ndc_t)
bind_run_ndc($1, $2, $3)
')

View File

@ -1,5 +1,5 @@
policy_module(bind, 1.7.1) policy_module(bind, 1.7.2)
######################################## ########################################
# #
@ -35,6 +35,9 @@ files_mountpoint(named_conf_t)
type named_cache_t; type named_cache_t;
files_type(named_cache_t) files_type(named_cache_t)
type named_initrc_exec_t;
init_script_file(named_initrc_exec_t)
type named_log_t; type named_log_t;
logging_log_file(named_log_t) logging_log_file(named_log_t)
@ -60,7 +63,7 @@ role system_r types ndc_t;
allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config; dontaudit named_t self:capability sys_tty_config;
allow named_t self:process { setsched setcap setrlimit signal_perms }; allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket create_stream_socket_perms; allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms; allow named_t self:unix_dgram_socket create_socket_perms;
@ -222,6 +225,7 @@ corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t) corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_bind_all_nodes(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t) corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t)