# DESC selinux policy for djbdns
# http://cr.yp.to/djbdns.html
#
# Author:  petre rodan <kaiowas@gentoo.org>
#
# this policy depends on ucspi-tcp and daemontools policies
#

ifdef(`daemontools.te', `
ifdef(`ucspi-tcp.te', `

define(`djbdns_daemon_domain', `
type djbdns_$1_conf_t, file_type, sysadmfile;
daemon_domain(djbdns_$1)
domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
svc_ipc_domain(djbdns_$1_t)
can_network(djbdns_$1_t)
allow djbdns_$1_t port_type:tcp_socket name_connect;
allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
allow djbdns_$1_t port_t:udp_socket name_bind;
r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
')

define(`djbdns_tcpserver_domain', `
type djbdns_$1_conf_t, file_type, sysadmfile;
daemon_domain(djbdns_$1)
domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
svc_ipc_domain(djbdns_$1_t)
allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
')

djbdns_daemon_domain(dnscache)
# read seed file
allow djbdns_dnscache_t svc_svc_t:file r_file_perms;

djbdns_daemon_domain(tinydns)

djbdns_tcpserver_domain(axfrdns)
r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)

') dnl ifdef ucspi-tcp.te
') dnl ifdef daemontools.te