Tinydns Policy Files - Matthew J. Fanto

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Matthew J. Fanto" <mattjf@uncompiled.com>
To: selinux@tycho.nsa.gov
Subject: Tinydns Policy Files
Date: Sun, 02 May 2004 13:17:29 -0400	[thread overview]
Message-ID: <1083518249.543.9.camel@ares> (raw)

[-- Attachment #1: Type: text/plain, Size: 174 bytes --]

Here are updated policy files for tinydns. This is the first policy file
I've written, so I'd appreciate any feedback. This was written for
Debian stable.

-Matthew J. Fanto

[-- Attachment #2: tinydns.fc --]
[-- Type: text/plain, Size: 406 bytes --]

# tinydns
/etc/tinydns?			system_u:object_r:tinydns_conf_t
/etc/tinydns/root(/.*)?		system_u:object_r:tinydns_conf_t
/etc/tinydns/env(/.*)?		system_u:object_r:tinydns_conf_t
/etc/tinydns/root/data* --      system_u:object_r:tinydns_zone_t
/etc/tinydns/run*	--	system_u:object_r:tinydns_exec_t
/etc/tinydns/log/run*	--	system_u:object_r:tinydns_exec_t
/usr/bin/tinydns*	--	system_u:object_r:tinydns_exec_t


[-- Attachment #3: tinydns.te --]
[-- Type: text/plain, Size: 2207 bytes --]

#DESC TINYDNS - Policy file for the tinydns authoritative nameserver
#
# Author:  Matthew J. Fanto <mattjf@uncompiled.com>
# 
#   Based off Named policy file written by
# 	Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
# 	Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: djbdns-installer djbdns

# we only define tinydns_port_t if we aren't
# using named or nsd, as it would conflict
ifdef(`named.te', `', `
ifdef(`nsd.te', `', `
type tinydns_port_t, port_type;
')dnl end if nsd.te
')dnl end if named.te

daemon_domain(tinydns)

# allow programs in the tinydns_t domain to execute tinydns_exec_t binaries
can_exec(tinydns_t, tinydns_exec_t)

# type for tinydns config files (/etc/tinydns(/.*)?) but does not
# include zone files
type tinydns_conf_t, file_type, sysadmfile;

# for primary zone files (/etc/selinux/root/data)
type tinydns_zone_t, file_type, sysadmfile;

# allow tinydns access to a few files it needs
allow tinydns_t etc_t:file { getattr read };
allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
allow tinydns_t resolv_conf_t:file { getattr read };
allow tinydns_t sbin_t:dir search;

# tinydns can use the network
can_network(tinydns_t)
allow tinydns_t tinydns_port_t:{ udp_socket } name_bind;
can_udp_send(domain, tinydns_t)
can_udp_send(tinydns_t, domain)
allow tinydns_t self:unix_dgram_socket create_socket_perms;

# read configuration files and zone files
r_dir_file(tinydns_t, tinydns_conf_t)
r_dir_file(tinydns_t, tinydns_zone_t)

# tinydns writes to a fifo and multilog reads it
# this is used for logging
ifdef(`daemontools.te', `
allow tinydns_t svc_start_t:fd { use };
allow tinydns_t svc_start_t:fifo_file { write };
')	

# allow tinydns to read /proc/meminfo
allow tinydns_t proc_t:file { getattr read };

# allow tinydns to search /etc/tinydns/log
allow tinydns_t svc_log_t:dir { getattr search };

# allow tinydns to search /bin
allow tinydns_t bin_t:dir { search };

# allow tinydns to gettar svc_run_exec_t files
ifdef(`daemontools.te', `
can_exec(tinydns_t, svc_run_exec_t)
domain_auto_trans(tinydns_t, svc_run_exec_t, svc_run_t)
')

# Set capabilites
allow tinydns_t self:capability { sys_tty_config net_bind_service sys_chroot setgid setuid };

next             reply	other threads:[~2004-05-02 17:17 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-02 17:17 Matthew J. Fanto [this message]
2004-05-02 23:19 ` Tinydns Policy Files Russell Coker
2004-05-03  1:22   ` Matthew J. Fanto
2004-05-03  8:51     ` Milan P. Stanic
2004-05-03 10:42       ` Russell Coker
2004-05-03 12:33         ` Chris Babcock
2004-05-03 14:30           ` Milan P. Stanic
2004-05-03 18:56             ` Valdis.Kletnieks
2004-05-04 10:52             ` Chris Babcock
2004-05-03 21:36           ` Russell Coker
2004-05-04 11:40             ` Chris Babcock
2004-05-03 14:30         ` Milan P. Stanic

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1083518249.543.9.camel@ares \
    --to=mattjf@uncompiled.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.