trunk: bind update from dan.
This commit is contained in:
parent
48f6456344
commit
f5394cc3cb
@ -1,3 +1,4 @@
|
|||||||
|
/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||||
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||||
|
|
||||||
|
@ -254,3 +254,29 @@ interface(`bind_read_zone',`
|
|||||||
interface(`bind_udp_chat_named',`
|
interface(`bind_udp_chat_named',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
refpolicywarn(`$0($*) has been deprecated.')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an bind environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`bind_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type named_t, ndc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 named_t:process { ptrace signal_perms };
|
||||||
|
ps_process_pattern($1, named_t)
|
||||||
|
|
||||||
|
allow $1 ndc_t:process { ptrace signal_perms };
|
||||||
|
ps_process_pattern($1, ndc_t)
|
||||||
|
|
||||||
|
bind_run_ndc($1, $2, $3)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(bind, 1.7.1)
|
policy_module(bind, 1.7.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -35,6 +35,9 @@ files_mountpoint(named_conf_t)
|
|||||||
type named_cache_t;
|
type named_cache_t;
|
||||||
files_type(named_cache_t)
|
files_type(named_cache_t)
|
||||||
|
|
||||||
|
type named_initrc_exec_t;
|
||||||
|
init_script_file(named_initrc_exec_t)
|
||||||
|
|
||||||
type named_log_t;
|
type named_log_t;
|
||||||
logging_log_file(named_log_t)
|
logging_log_file(named_log_t)
|
||||||
|
|
||||||
@ -60,7 +63,7 @@ role system_r types ndc_t;
|
|||||||
|
|
||||||
allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
|
allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
|
||||||
dontaudit named_t self:capability sys_tty_config;
|
dontaudit named_t self:capability sys_tty_config;
|
||||||
allow named_t self:process { setsched setcap setrlimit signal_perms };
|
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
|
||||||
allow named_t self:fifo_file rw_fifo_file_perms;
|
allow named_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow named_t self:unix_stream_socket create_stream_socket_perms;
|
allow named_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow named_t self:unix_dgram_socket create_socket_perms;
|
allow named_t self:unix_dgram_socket create_socket_perms;
|
||||||
@ -222,6 +225,7 @@ corenet_all_recvfrom_netlabel(ndc_t)
|
|||||||
corenet_tcp_sendrecv_all_if(ndc_t)
|
corenet_tcp_sendrecv_all_if(ndc_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(ndc_t)
|
corenet_tcp_sendrecv_all_nodes(ndc_t)
|
||||||
corenet_tcp_sendrecv_all_ports(ndc_t)
|
corenet_tcp_sendrecv_all_ports(ndc_t)
|
||||||
|
corenet_tcp_bind_all_nodes(ndc_t)
|
||||||
corenet_tcp_connect_rndc_port(ndc_t)
|
corenet_tcp_connect_rndc_port(ndc_t)
|
||||||
corenet_sendrecv_rndc_client_packets(ndc_t)
|
corenet_sendrecv_rndc_client_packets(ndc_t)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user