From 31c276c7b4e147885a22806a6b62e280a0b1c2c9 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 2 Mar 2021 13:41:55 +0800
Subject: [PATCH] bind: fixes for bind

* add fcontext for /etc/rc.d/init.d/bind and /etc/bind/rndc.conf
* add getsched for named process

Fixes:
avc: denied { getsched } for pid=418 comm="named"
scontext=system_u:system_r:named_t tcontext=system_u:system_r:named_t
tclass=process permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/bind.fc | 2 ++
 policy/modules/services/bind.te | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index ce68a0af9..585103eb9 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,8 +1,10 @@
 /etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 
 /etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
 /etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index bf50763bd..623437e9f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
 
 allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:process { setsched getsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
 allow named_t self:tcp_socket { accept listen };