bind: fixes for unbound

Unbound maintains a copy of the root key in /etc/unbound/cache and needs
to be able to manage it.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-11-06 21:46:08 -04:00
parent 60d3cf03ed
commit ae0a8b7fba
2 changed files with 3 additions and 1 deletions

View File

@ -13,6 +13,7 @@
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound/cache(/.*)? gen_context(system_u:object_r:dnssec_t,s0)
/usr/bin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/bin/named -- gen_context(system_u:object_r:named_exec_t,s0)

View File

@ -81,7 +81,8 @@ allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
allow named_t self:tcp_socket { accept listen };
allow named_t dnssec_t:file read_file_perms;
allow named_t dnssec_t:file manage_file_perms;
filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
allow named_t named_conf_t:dir list_dir_perms;
read_files_pattern(named_t, named_conf_t, named_conf_t)