diff options
Diffstat (limited to 'policy/modules/services/bind.if')
-rw-r--r-- | policy/modules/services/bind.if | 376 |
1 files changed, 376 insertions, 0 deletions
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if new file mode 100644 index 000000000..a99bae9c6 --- /dev/null +++ b/policy/modules/services/bind.if @@ -0,0 +1,376 @@ +## <summary>Berkeley Internet name domain DNS server.</summary> + +######################################## +## <summary> +## Execute bind init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_initrc_domtrans',` + gen_require(` + type named_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, named_initrc_exec_t) +') + +######################################## +## <summary> +## Execute ndc in the ndc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_domtrans_ndc',` + gen_require(` + type ndc_t, ndc_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, ndc_exec_t, ndc_t) +') + +######################################## +## <summary> +## Send generic signals to bind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_signal',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signal; +') + +######################################## +## <summary> +## Send null signals to bind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_signull',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process signull; +') + +######################################## +## <summary> +## Send kill signals to bind. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_kill',` + gen_require(` + type named_t; + ') + + allow $1 named_t:process sigkill; +') + +######################################## +## <summary> +## Execute ndc in the ndc domain, and +## allow the specified role the ndc domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bind_run_ndc',` + gen_require(` + attribute_role ndc_roles; + ') + + bind_domtrans_ndc($1) + roleattribute $2 ndc_roles; +') + +######################################## +## <summary> +## Execute bind in the named domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bind_domtrans',` + gen_require(` + type named_t, named_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, named_exec_t, named_t) +') + +######################################## +## <summary> +## Read dnssec key files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_dnssec_keys',` + gen_require(` + type named_conf_t, named_zone_t, dnssec_t; + ') + + read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) +') + +######################################## +## <summary> +## Read bind named configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_config',` + gen_require(` + type named_conf_t; + ') + + read_files_pattern($1, named_conf_t, named_conf_t) +') + +######################################## +## <summary> +## Write bind named configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_write_config',` + gen_require(` + type named_conf_t; + ') + + write_files_pattern($1, named_conf_t, named_conf_t) + allow $1 named_conf_t:file setattr_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## bind configuration directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_config_dirs',` + gen_require(` + type named_conf_t; + ') + + manage_dirs_pattern($1, named_conf_t, named_conf_t) +') + +######################################## +## <summary> +## Search bind cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_search_cache',` + gen_require(` + type named_conf_t, named_cache_t, named_zone_t; + ') + + files_search_var($1) + allow $1 named_conf_t:dir search_dir_perms; + allow $1 named_zone_t:dir search_dir_perms; + allow $1 named_cache_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## bind cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_cache',` + gen_require(` + type named_cache_t, named_zone_t; + ') + + files_search_var($1) + allow $1 named_zone_t:dir search_dir_perms; + manage_files_pattern($1, named_cache_t, named_cache_t) + manage_lnk_files_pattern($1, named_cache_t, named_cache_t) +') + +######################################## +## <summary> +## Set attributes of bind pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_setattr_pid_dirs',` + gen_require(` + type named_var_run_t; + ') + + allow $1 named_var_run_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Set attributes of bind zone directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_setattr_zone_dirs',` + gen_require(` + type named_zone_t; + ') + + allow $1 named_zone_t:dir setattr_dir_perms; +') + +######################################## +## <summary> +## Read bind zone files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_read_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + read_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## bind zone files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bind_manage_zone',` + gen_require(` + type named_zone_t; + ') + + files_search_var($1) + manage_files_pattern($1, named_zone_t, named_zone_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an bind environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`bind_admin',` + gen_require(` + type named_t, named_tmp_t, named_log_t; + type named_cache_t, named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_conf_t, named_var_run_t; + type named_keytab_t; + ') + + allow $1 { named_t ndc_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { named_t ndc_t }) + + init_startstop_service($1, $2, named_t, named_initrc_exec_t) + + files_list_tmp($1) + admin_pattern($1, named_tmp_t) + + logging_list_logs($1) + admin_pattern($1, named_log_t) + + files_list_etc($1) + admin_pattern($1, { named_keytab_t named_conf_t }) + + files_list_var($1) + admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) + + files_list_pids($1) + admin_pattern($1, named_var_run_t) +') |