From e426b5785f14e353f0b74070556a255bdc8466e5 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alexminder@gmail.com>
Date: Sun, 30 Dec 2018 18:27:30 +0300
Subject: [PATCH 1/3] Add required permissions for nsd_t to be able running.

Add required permissions to nsd_t for NSD work properly.
---
 policy/modules/services/nsd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index eb4051147..355ce0c7b 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -34,7 +34,7 @@ files_type(nsd_zone_t)
 # Local policy
 #
 
-allow nsd_t self:capability { chown dac_override kill setgid setuid };
+allow nsd_t self:capability { chown dac_override kill setgid setuid dac_read_search net_admin };
 dontaudit nsd_t self:capability sys_tty_config;
 allow nsd_t self:process signal_perms;
 allow nsd_t self:fifo_file rw_fifo_file_perms;
@@ -44,12 +44,14 @@ allow nsd_t nsd_conf_t:dir list_dir_perms;
 allow nsd_t nsd_conf_t:file read_file_perms;
 allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
 
+allow nsd_t nsd_db_t:file map;
 allow nsd_t nsd_db_t:file manage_file_perms;
 filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
 
 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
 files_pid_filetrans(nsd_t, nsd_var_run_t, file)
 
+allow nsd_t nsd_zone_t:file { map };
 manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)

From faa2b159108774b6c7d5a17ff24f3cefa983f591 Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alexminder@gmail.com>
Date: Sun, 30 Dec 2018 18:30:23 +0300
Subject: [PATCH 2/3] Add nsd_admin interface to sysadm.te.

Allow users with sysadm_r role to start/stop NSD daemon.
---
 policy/modules/roles/sysadm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 93ee729a2..d567aa1d8 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -710,6 +710,10 @@ optional_policy(`
 	nscd_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+        nsd_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	nslcd_admin(sysadm_t, sysadm_r)
 ')

From c9472586104ad464bc08ce68f9f118d437e98fef Mon Sep 17 00:00:00 2001
From: Alexander Miroshnichenko <alexminder@gmail.com>
Date: Fri, 4 Jan 2019 15:59:02 +0300
Subject: [PATCH 3/3] Remove unneeded braces from nsd.te.

---
 policy/modules/services/nsd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index 355ce0c7b..7e9de5073 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -51,7 +51,7 @@ filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
 files_pid_filetrans(nsd_t, nsd_var_run_t, file)
 
-allow nsd_t nsd_zone_t:file { map };
+allow nsd_t nsd_zone_t:file map;
 manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
 manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)