#DESC Authoritative only name server
#
# Author: Russell Coker
# X-Debian-Packages: nsd
# 
#

#################################
#
# Rules for the nsd_t domain.
#

daemon_domain(nsd)

# a type for nsd.db
type nsd_db_t, file_type, sysadmfile;

# for zone update cron job
type nsd_crond_t, domain, privlog;
role system_r types nsd_crond_t;
uses_shlib(nsd_crond_t)
can_network_client(nsd_crond_t)
allow nsd_crond_t port_type:tcp_socket name_connect;
can_ypbind(nsd_crond_t)
allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
allow nsd_crond_t self:process { fork signal_perms };
system_crond_entry(nsd_exec_t, nsd_crond_t)
allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
allow nsd_crond_t proc_t:lnk_file { getattr read };
allow nsd_crond_t { bin_t sbin_t }:dir search;
can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
allow nsd_crond_t bin_t:lnk_file read;
read_locale(nsd_crond_t)
allow nsd_crond_t self:fifo_file rw_file_perms;
# kill capability for root cron job and non-root daemon
allow nsd_crond_t self:capability { dac_override kill };
allow nsd_crond_t nsd_t:process signal;
dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
dontaudit nsd_crond_t self:capability sys_nice;
dontaudit nsd_crond_t domain:dir search;
allow nsd_crond_t self:process setsched;
can_ps(nsd_crond_t, nsd_t)

file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
allow nsd_crond_t var_lib_t:dir search;

allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
allow nsd_crond_t proc_t:dir r_dir_perms;
allow nsd_crond_t device_t:dir search;
allow nsd_crond_t devtty_t:chr_file rw_file_perms;
allow nsd_crond_t etc_t:file { getattr read };
allow nsd_crond_t etc_t:lnk_file read;
allow nsd_crond_t { var_t var_run_t }:dir search;
allow nsd_crond_t nsd_var_run_t:file { getattr read };

# for SSP
allow nsd_crond_t urandom_device_t:chr_file read;

# A type for configuration files of nsd
type nsd_conf_t, file_type, sysadmfile;
# A type for zone files
type nsd_zone_t, file_type, sysadmfile;

r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t })
# zone files may be in /var/lib/nsd
allow nsd_t var_lib_t:dir search;
r_dir_file(initrc_t, nsd_conf_t)
allow nsd_t etc_runtime_t:file { getattr read };
allow nsd_t proc_t:file { getattr read };
allow nsd_t { sbin_t bin_t }:dir search;
can_exec(nsd_t, { nsd_exec_t bin_t })

# Use capabilities.  chown is for chowning /var/run/nsd.pid
allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };

allow nsd_t etc_t:{ file lnk_file } { getattr read };

# nsd can use network
can_network_server(nsd_t)
can_ypbind(nsd_t)
# allow client access from caching BIND
ifdef(`named.te', `
can_udp_send(named_t, nsd_t)
can_udp_send(nsd_t, named_t)
can_tcp_connect(named_t, nsd_t)
')

# if you want to allow all programs to contact the primary name server
#can_udp_send(domain, nsd_t)
#can_udp_send(nsd_t, domain)
#can_tcp_connect(domain, nsd_t)

# Bind to the named port.
allow nsd_t dns_port_t:udp_socket name_bind;
allow nsd_t dns_port_t:tcp_socket name_bind;

allow nsd_t self:unix_stream_socket create_stream_socket_perms;
allow nsd_t self:unix_dgram_socket create_socket_perms;