* Dnscache Policy Files
@ 2004-05-02 17:19 Matthew J. Fanto
0 siblings, 0 replies; only message in thread
From: Matthew J. Fanto @ 2004-05-02 17:19 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 98 bytes --]
Here are policy files for Dnscache (the caching nameserver portion of
djbdns).
-Matthew J. Fanto
[-- Attachment #2: dnscache.fc --]
[-- Type: text/plain, Size: 406 bytes --]
# dnscache
/etc/dnscache? system_u:object_r:dnscache_conf_t
/etc/dnscache/root(/.*)? system_u:object_r:dnscache_conf_t
/etc/dnscache/env(/.*)? system_u:object_r:dnscache_conf_t
/etc/dnscache/seed system_u:object_r:dnscache_conf_t
/etc/dnscache/run* -- system_u:object_r:dnscache_exec_t
/etc/dnscache/log/run* -- system_u:object_r:dnscache_exec_t
/usr/bin/dnscache* -- system_u:object_r:dnscache_exec_t
[-- Attachment #3: dnscache.te --]
[-- Type: text/plain, Size: 1700 bytes --]
#DESC DNSCACHE - Policy file for the dnscache recursive resolver
#
# Author: Matthew J. Fanto <mattjf@uncompiled.com>
#
# Based off Named policy file written by
# Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
# Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: djbdns-installer djbdns
# we only define dnscache_port_t if we aren't
# using named or nsd, as it would conflict
ifdef(`named.te', `', `
ifdef(`nsd.te', `', `
type dnscache_port_t, port_type;
')dnl end if nsd.te
')dnl end if named.te
daemon_domain(dnscache)
# allow programs in the dnscache_t domain to execute dnscache_exec_t binaries
can_exec(dnscache_t, dnscache_exec_t)
# type for dnscache config files (/etc/dnscache(/.*)?)
type dnscache_conf_t, file_type, sysadmfile;
# need to allow dnscache to access a few files
allow dnscache_t etc_t:file { getattr read };
allow dnscache_t etc_runtime_t:{ file lnk_file } { getattr read };
allow dnscache_t resolv_conf_t:file { getattr read };
allow dnscache_t sbin_t:dir search;
#dnscache can use the network
can_network(dnscache_t)
allow dnscache_t dnscache_port_t:{ udp_socket tcp_socket } name_bind;
can_udp_send(domain, dnscache_t)
can_udp_send(dnscache_t, domain)
can_tcp_connect(domain, dnscache_t)
allow dnscache_t self:unix_dgram_socket create_socket_perms;
#read configuration files
r_dir_file(dnscache_t, dnscache_conf_t)
# allow dnscache to read /dev/random
allow dnscache_t device_t:dir r_dir_perms;
allow dnscache_t random_device_t:chr_file r_file_perms;
# dnscache writes to a fifo and multilog reads it
# this is used for logging
ifdef(`daemontools.te', `
allow dnscache_t svc_start_t:fd { use };
allow dnscache_t svc_start_t:fifo_file { write };
')
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-05-02 17:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-02 17:19 Dnscache Policy Files Matthew J. Fanto
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.