From: "Matthew J. Fanto" <mattjf@uncompiled.com>
To: selinux@tycho.nsa.gov
Subject: Dnscache Policy Files
Date: Sun, 02 May 2004 13:19:17 -0400 [thread overview]
Message-ID: <1083518357.543.12.camel@ares> (raw)
[-- Attachment #1: Type: text/plain, Size: 98 bytes --]
Here are policy files for Dnscache (the caching nameserver portion of
djbdns).
-Matthew J. Fanto
[-- Attachment #2: dnscache.fc --]
[-- Type: text/plain, Size: 406 bytes --]
# dnscache
/etc/dnscache? system_u:object_r:dnscache_conf_t
/etc/dnscache/root(/.*)? system_u:object_r:dnscache_conf_t
/etc/dnscache/env(/.*)? system_u:object_r:dnscache_conf_t
/etc/dnscache/seed system_u:object_r:dnscache_conf_t
/etc/dnscache/run* -- system_u:object_r:dnscache_exec_t
/etc/dnscache/log/run* -- system_u:object_r:dnscache_exec_t
/usr/bin/dnscache* -- system_u:object_r:dnscache_exec_t
[-- Attachment #3: dnscache.te --]
[-- Type: text/plain, Size: 1700 bytes --]
#DESC DNSCACHE - Policy file for the dnscache recursive resolver
#
# Author: Matthew J. Fanto <mattjf@uncompiled.com>
#
# Based off Named policy file written by
# Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
# Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: djbdns-installer djbdns
# we only define dnscache_port_t if we aren't
# using named or nsd, as it would conflict
ifdef(`named.te', `', `
ifdef(`nsd.te', `', `
type dnscache_port_t, port_type;
')dnl end if nsd.te
')dnl end if named.te
daemon_domain(dnscache)
# allow programs in the dnscache_t domain to execute dnscache_exec_t binaries
can_exec(dnscache_t, dnscache_exec_t)
# type for dnscache config files (/etc/dnscache(/.*)?)
type dnscache_conf_t, file_type, sysadmfile;
# need to allow dnscache to access a few files
allow dnscache_t etc_t:file { getattr read };
allow dnscache_t etc_runtime_t:{ file lnk_file } { getattr read };
allow dnscache_t resolv_conf_t:file { getattr read };
allow dnscache_t sbin_t:dir search;
#dnscache can use the network
can_network(dnscache_t)
allow dnscache_t dnscache_port_t:{ udp_socket tcp_socket } name_bind;
can_udp_send(domain, dnscache_t)
can_udp_send(dnscache_t, domain)
can_tcp_connect(domain, dnscache_t)
allow dnscache_t self:unix_dgram_socket create_socket_perms;
#read configuration files
r_dir_file(dnscache_t, dnscache_conf_t)
# allow dnscache to read /dev/random
allow dnscache_t device_t:dir r_dir_perms;
allow dnscache_t random_device_t:chr_file r_file_perms;
# dnscache writes to a fifo and multilog reads it
# this is used for logging
ifdef(`daemontools.te', `
allow dnscache_t svc_start_t:fd { use };
allow dnscache_t svc_start_t:fifo_file { write };
')
reply other threads:[~2004-05-02 17:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1083518357.543.12.camel@ares \
--to=mattjf@uncompiled.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.