#DESC BIND - Name server # # Authors: Yuichi Nakamura , # Russell Coker # X-Debian-Packages: bind bind9 # # ################################# # # Rules for the named_t domain. # daemon_domain(named, `, nscd_client_domain') tmp_domain(named) type named_checkconf_exec_t, file_type, exec_type, sysadmfile; domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t) # For /var/run/ndc used in BIND 8 file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file) # ndc_t is the domain for the ndc program type ndc_t, domain, privlog, nscd_client_domain; role sysadm_r types ndc_t; role system_r types ndc_t; ifdef(`targeted_policy', ` dontaudit ndc_t root_t:file { getattr read }; dontaudit ndc_t unlabeled_t:file { getattr read }; ') can_exec(named_t, named_exec_t) allow named_t sbin_t:dir search; allow named_t self:process { setsched setcap setrlimit }; # A type for configuration files of named. type named_conf_t, file_type, sysadmfile, mount_point; # for primary zone files type named_zone_t, file_type, sysadmfile; # for secondary zone files type named_cache_t, file_type, sysadmfile; # for DNSSEC key files type dnssec_t, file_type, sysadmfile, secure_file_type; allow { ndc_t named_t } dnssec_t:file { getattr read }; # Use capabilities. Surplus capabilities may be allowed. allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource }; allow named_t etc_t:file { getattr read }; allow named_t etc_runtime_t:{ file lnk_file } { getattr read }; #Named can use network can_network(named_t) allow named_t port_type:tcp_socket name_connect; can_ypbind(named_t) # allow UDP transfer to/from any program can_udp_send(domain, named_t) can_udp_send(named_t, domain) can_tcp_connect(domain, named_t) log_domain(named) # Bind to the named port. allow named_t dns_port_t:udp_socket name_bind; allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind; bool named_write_master_zones false; #read configuration files r_dir_file(named_t, named_conf_t) if (named_write_master_zones) { #create and modify zone files create_dir_file(named_t, named_zone_t) } #read zone files r_dir_file(named_t, named_zone_t) #write cache for secondary zones rw_dir_create_file(named_t, named_cache_t) allow named_t self:unix_stream_socket create_stream_socket_perms; allow named_t self:unix_dgram_socket create_socket_perms; allow named_t self:netlink_route_socket r_netlink_socket_perms; # Read sysctl kernel variables. read_sysctl(named_t) # Read /proc/cpuinfo and /proc/net r_dir_file(named_t, proc_t) r_dir_file(named_t, proc_net_t) # Read /dev/random. allow named_t device_t:dir r_dir_perms; allow named_t random_device_t:chr_file r_file_perms; # Use a pipe created by self. allow named_t self:fifo_file rw_file_perms; # Enable named dbus support: ifdef(`dbusd.te', ` dbusd_client(system, named) domain_auto_trans(system_dbusd_t, named_exec_t, named_t) allow named_t system_dbusd_t:dbus { acquire_svc send_msg }; allow named_t self:dbus send_msg; ') # Set own capabilities. #A type for /usr/sbin/ndc type ndc_exec_t, file_type,sysadmfile, exec_type; domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t) uses_shlib(ndc_t) can_network_client_tcp(ndc_t) allow ndc_t rndc_port_t:tcp_socket name_connect; can_ypbind(ndc_t) can_resolve(ndc_t) read_locale(ndc_t) can_tcp_connect(ndc_t, named_t) ifdef(`distro_redhat', ` # for /etc/rndc.key allow { ndc_t initrc_t } named_conf_t:dir search; # Allow init script to cp localtime to named_conf_t allow initrc_t named_conf_t:file { setattr write }; allow initrc_t named_conf_t:dir create_dir_perms; ') allow { ndc_t initrc_t } named_conf_t:file { getattr read }; allow ndc_t etc_t:dir r_dir_perms; allow ndc_t etc_t:file r_file_perms; allow ndc_t self:unix_stream_socket create_stream_socket_perms; allow ndc_t self:unix_stream_socket connect; allow ndc_t self:capability { dac_override net_admin }; allow ndc_t var_t:dir search; allow ndc_t var_run_t:dir search; allow ndc_t named_var_run_t:sock_file rw_file_perms; allow ndc_t named_t:unix_stream_socket connectto; allow ndc_t { privfd init_t }:fd use; # seems to need read as well for some reason allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write }; allow ndc_t fs_t:filesystem getattr; # Read sysctl kernel variables. read_sysctl(ndc_t) allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file { read write getattr ioctl }; allow ndc_t named_zone_t:dir search; # for chmod in start script dontaudit initrc_t named_var_run_t:dir setattr; # for ndc_t to be used for restart shell scripts ifdef(`ndc_shell_script', ` system_crond_entry(ndc_exec_t, ndc_t) allow ndc_t devtty_t:chr_file { read write ioctl }; allow ndc_t etc_runtime_t:file { getattr read }; allow ndc_t proc_t:dir search; allow ndc_t proc_t:file { getattr read }; can_exec(ndc_t, { bin_t sbin_t shell_exec_t }) allow ndc_t named_var_run_t:file getattr; allow ndc_t named_zone_t:dir { read getattr }; allow ndc_t named_zone_t:file getattr; dontaudit ndc_t sysadm_home_t:dir { getattr search read }; ') allow ndc_t self:netlink_route_socket r_netlink_socket_perms; dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };