Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/bind.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/bind.if')
-rw-r--r--policy/modules/services/bind.if376
1 files changed, 376 insertions, 0 deletions
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
new file mode 100644
index 000000000..a99bae9c6
--- /dev/null
+++ b/policy/modules/services/bind.if
@@ -0,0 +1,376 @@
+## <summary>Berkeley Internet name domain DNS server.</summary>
+
+########################################
+## <summary>
+## Execute bind init scripts in
+## the init script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type named_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ndc in the ndc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_domtrans_ndc',`
+ gen_require(`
+ type ndc_t, ndc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ndc_exec_t, ndc_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to bind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_signal',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signal;
+')
+
+########################################
+## <summary>
+## Send null signals to bind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_signull',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+## Send kill signals to bind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_kill',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Execute ndc in the ndc domain, and
+## allow the specified role the ndc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_run_ndc',`
+ gen_require(`
+ attribute_role ndc_roles;
+ ')
+
+ bind_domtrans_ndc($1)
+ roleattribute $2 ndc_roles;
+')
+
+########################################
+## <summary>
+## Execute bind in the named domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_domtrans',`
+ gen_require(`
+ type named_t, named_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, named_exec_t, named_t)
+')
+
+########################################
+## <summary>
+## Read dnssec key files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+ gen_require(`
+ type named_conf_t, named_zone_t, dnssec_t;
+ ')
+
+ read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
+')
+
+########################################
+## <summary>
+## Read bind named configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ read_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+## Write bind named configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_write_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ write_files_pattern($1, named_conf_t, named_conf_t)
+ allow $1 named_conf_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## bind configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_config_dirs',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ manage_dirs_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+## Search bind cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_search_cache',`
+ gen_require(`
+ type named_conf_t, named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_conf_t:dir search_dir_perms;
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## bind cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_cache',`
+ gen_require(`
+ type named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ manage_files_pattern($1, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
+')
+
+########################################
+## <summary>
+## Set attributes of bind pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_pid_dirs',`
+ gen_require(`
+ type named_var_run_t;
+ ')
+
+ allow $1 named_var_run_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Set attributes of bind zone directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ allow $1 named_zone_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Read bind zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## bind zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an bind environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+ gen_require(`
+ type named_t, named_tmp_t, named_log_t;
+ type named_cache_t, named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+ type named_keytab_t;
+ ')
+
+ allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { named_t ndc_t })
+
+ init_startstop_service($1, $2, named_t, named_initrc_exec_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, named_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, named_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, { named_keytab_t named_conf_t })
+
+ files_list_var($1)
+ admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
+')