policy_module(dnssectrigger, 1.4.2) ######################################## # # Declarations # type dnssec_triggerd_t; type dnssec_triggerd_exec_t; init_daemon_domain(dnssec_triggerd_t, dnssec_triggerd_exec_t) type dnssec_triggerd_initrc_exec_t; init_script_file(dnssec_triggerd_initrc_exec_t) type dnssec_trigger_conf_t; files_config_file(dnssec_trigger_conf_t) type dnssec_trigger_log_t; logging_log_file(dnssec_trigger_log_t) type dnssec_triggerd_runtime_t alias dnssec_triggerd_var_run_t; files_pid_file(dnssec_triggerd_runtime_t) ######################################## # # Local policy # allow dnssec_triggerd_t self:capability linux_immutable; allow dnssec_triggerd_t self:process signal; allow dnssec_triggerd_t self:fifo_file rw_fifo_file_perms; allow dnssec_triggerd_t self:unix_stream_socket { accept listen }; allow dnssec_triggerd_t self:tcp_socket { accept listen }; allow dnssec_triggerd_t dnssec_trigger_conf_t:file read_file_perms; append_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) create_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) setattr_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) logging_log_filetrans(dnssec_triggerd_t, dnssec_trigger_log_t, file) manage_files_pattern(dnssec_triggerd_t, dnssec_triggerd_runtime_t, dnssec_triggerd_runtime_t) files_pid_filetrans(dnssec_triggerd_t, dnssec_triggerd_runtime_t, file) kernel_read_system_state(dnssec_triggerd_t) corecmd_exec_bin(dnssec_triggerd_t) corecmd_exec_shell(dnssec_triggerd_t) corenet_all_recvfrom_unlabeled(dnssec_triggerd_t) corenet_all_recvfrom_netlabel(dnssec_triggerd_t) corenet_tcp_sendrecv_generic_if(dnssec_triggerd_t) corenet_tcp_sendrecv_generic_node(dnssec_triggerd_t) corenet_tcp_bind_generic_node(dnssec_triggerd_t) corenet_sendrecv_rndc_client_packets(dnssec_triggerd_t) corenet_tcp_connect_rndc_port(dnssec_triggerd_t) corenet_sendrecv_http_client_packets(dnssec_triggerd_t) corenet_tcp_connect_http_port(dnssec_triggerd_t) dev_read_urand(dnssec_triggerd_t) files_read_etc_runtime_files(dnssec_triggerd_t) logging_send_syslog_msg(dnssec_triggerd_t) miscfiles_read_localization(dnssec_triggerd_t) sysnet_dns_name_resolve(dnssec_triggerd_t) sysnet_manage_config(dnssec_triggerd_t) sysnet_etc_filetrans_config(dnssec_triggerd_t) optional_policy(` bind_read_config(dnssec_triggerd_t) bind_read_dnssec_keys(dnssec_triggerd_t) ')