#DESC TINYDNS - Policy file for the tinydns authoritative nameserver # # Author: Matthew J. Fanto # # Based off Named policy file written by # Yuichi Nakamura , # Russell Coker # # X-Debian-Packages: djbdns-installer djbdns # we only define tinydns_port_t if we aren't # using named or nsd, as it would conflict ifdef(`named.te', `', ` ifdef(`nsd.te', `', ` type tinydns_port_t, port_type; ')dnl end if nsd.te ')dnl end if named.te daemon_domain(tinydns) # allow programs in the tinydns_t domain to execute tinydns_exec_t binaries can_exec(tinydns_t, tinydns_exec_t) # type for tinydns config files (/etc/tinydns(/.*)?) but does not # include zone files type tinydns_conf_t, file_type, sysadmfile; # for primary zone files (/etc/selinux/root/data) type tinydns_zone_t, file_type, sysadmfile; # allow tinydns access to a few files it needs allow tinydns_t etc_t:file { getattr read }; allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read }; allow tinydns_t resolv_conf_t:file { getattr read }; allow tinydns_t sbin_t:dir search; # tinydns can use the network can_network(tinydns_t) allow tinydns_t tinydns_port_t:{ udp_socket } name_bind; can_udp_send(domain, tinydns_t) can_udp_send(tinydns_t, domain) allow tinydns_t self:unix_dgram_socket create_socket_perms; # read configuration files and zone files r_dir_file(tinydns_t, tinydns_conf_t) r_dir_file(tinydns_t, tinydns_zone_t) # tinydns writes to a fifo and multilog reads it # this is used for logging ifdef(`daemontools.te', ` allow tinydns_t svc_start_t:fd { use }; allow tinydns_t svc_start_t:fifo_file { write }; ') # allow tinydns to read /proc/meminfo allow tinydns_t proc_t:file { getattr read }; # allow tinydns to search /etc/tinydns/log allow tinydns_t svc_log_t:dir { getattr search }; # allow tinydns to search /bin allow tinydns_t bin_t:dir { search }; # allow tinydns to gettar svc_run_exec_t files ifdef(`daemontools.te', ` can_exec(tinydns_t, svc_run_exec_t) domain_auto_trans(tinydns_t, svc_run_exec_t, svc_run_t) ') # Set capabilites allow tinydns_t self:capability { sys_tty_config net_bind_service sys_chroot setgid setuid };