selinux-refpolicy/policy/modules/services/nsd.te
2006-07-12 20:32:27 +00:00

204 lines
4.9 KiB
Plaintext

policy_module(nsd,1.0.1)
########################################
#
# Declarations
#
type nsd_t;
type nsd_exec_t;
init_daemon_domain(nsd_t,nsd_exec_t)
# A type for configuration files of nsd
type nsd_conf_t;
files_type(nsd_conf_t)
type nsd_crond_t;
domain_type(nsd_crond_t)
domain_entry_file(nsd_crond_t,nsd_exec_t)
role system_r types nsd_crond_t;
# a type for nsd.db
type nsd_db_t;
files_type(nsd_db_t)
type nsd_var_run_t;
files_pid_file(nsd_var_run_t)
# A type for zone files
type nsd_zone_t;
files_type(nsd_zone_t)
########################################
#
# NSD Local policy
#
allow nsd_t self:capability { dac_override chown setuid setgid };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
allow nsd_t self:tcp_socket create_stream_socket_perms;
allow nsd_t self:udp_socket create_socket_perms;
allow nsd_t nsd_conf_t:dir r_dir_perms;
allow nsd_t nsd_conf_t:file r_file_perms;
allow nsd_t nsd_conf_t:lnk_file { getattr read };
allow nsd_t nsd_db_t:file manage_file_perms;
type_transition nsd_t nsd_zone_t:file nsd_db_t;
allow nsd_t nsd_zone_t:dir rw_dir_perms;
allow nsd_t nsd_var_run_t:file create_file_perms;
allow nsd_t nsd_var_run_t:dir rw_dir_perms;
files_pid_filetrans(nsd_t,nsd_var_run_t,file)
allow nsd_t nsd_zone_t:dir r_dir_perms;
allow nsd_t nsd_zone_t:file r_file_perms;
allow nsd_t nsd_zone_t:lnk_file { getattr read };
can_exec(nsd_t,nsd_exec_t)
kernel_read_system_state(nsd_t)
kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
corenet_non_ipsec_sendrecv(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
corenet_tcp_sendrecv_all_nodes(nsd_t)
corenet_udp_sendrecv_all_nodes(nsd_t)
corenet_tcp_sendrecv_all_ports(nsd_t)
corenet_udp_sendrecv_all_ports(nsd_t)
corenet_tcp_bind_all_nodes(nsd_t)
corenet_udp_bind_all_nodes(nsd_t)
corenet_tcp_bind_dns_port(nsd_t)
corenet_udp_bind_dns_port(nsd_t)
corenet_sendrecv_dns_server_packets(nsd_t)
dev_read_sysfs(nsd_t)
domain_use_interactive_fds(nsd_t)
files_read_etc_files(nsd_t)
files_read_etc_runtime_files(nsd_t)
fs_getattr_all_fs(nsd_t)
fs_search_auto_mountpoints(nsd_t)
term_dontaudit_use_console(nsd_t)
init_use_fds(nsd_t)
init_use_script_ptys(nsd_t)
libs_use_ld_so(nsd_t)
libs_use_shared_libs(nsd_t)
logging_send_syslog_msg(nsd_t)
miscfiles_read_localization(nsd_t)
sysnet_read_config(nsd_t)
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_sysadm_home_dirs(nsd_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(nsd_t)
term_dontaudit_use_generic_ptys(nsd_t)
files_dontaudit_read_root_files(nsd_t)
')
optional_policy(`
nis_use_ypbind(nsd_t)
')
optional_policy(`
seutil_sigchld_newrole(nsd_t)
')
optional_policy(`
udev_read_db(nsd_t)
')
########################################
#
# Zone update cron job local policy
#
# kill capability for root cron job and non-root daemon
allow nsd_crond_t self:capability { dac_override kill };
dontaudit nsd_crond_t self:capability sys_nice;
allow nsd_crond_t self:process { setsched signal_perms };
allow nsd_crond_t self:fifo_file rw_file_perms;
allow nsd_crond_t self:tcp_socket create_socket_perms;
allow nsd_crond_t self:udp_socket create_socket_perms;
allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
allow nsd_crond_t nsd_db_t:file manage_file_perms;
type_transition nsd_crond_t nsd_zone_t:file nsd_db_t;
allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
files_search_var_lib(nsd_crond_t)
allow nsd_crond_t nsd_t:process signal;
allow nsd_crond_t nsd_t:dir { search getattr read };
allow nsd_crond_t nsd_t:{ file lnk_file } { read getattr };
allow nsd_crond_t nsd_t:process getattr;
allow nsd_crond_t nsd_zone_t:file manage_file_perms;
allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
type_transition nsd_crond_t nsd_conf_t:file nsd_zone_t;
allow nsd_crond_t nsd_conf_t:dir rw_dir_perms;
can_exec(nsd_crond_t,nsd_exec_t)
kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_sbin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
corenet_non_ipsec_sendrecv(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
corenet_udp_sendrecv_all_nodes(nsd_crond_t)
corenet_tcp_sendrecv_all_ports(nsd_crond_t)
corenet_udp_sendrecv_all_ports(nsd_crond_t)
corenet_tcp_connect_all_ports(nsd_crond_t)
corenet_sendrecv_all_client_packets(nsd_crond_t)
# for SSP
dev_read_urand(nsd_crond_t)
domain_dontaudit_read_all_domains_state(nsd_crond_t)
files_read_etc_files(nsd_crond_t)
files_read_etc_runtime_files(nsd_crond_t)
files_search_var_lib(nsd_t)
libs_use_ld_so(nsd_crond_t)
libs_use_shared_libs(nsd_crond_t)
logging_send_syslog_msg(nsd_crond_t)
miscfiles_read_localization(nsd_crond_t)
sysnet_read_config(nsd_crond_t)
userdom_dontaudit_search_sysadm_home_dirs(nsd_crond_t)
optional_policy(`
cron_system_entry(nsd_crond_t,nsd_exec_t)
')
optional_policy(`
nis_use_ypbind(nsd_crond_t)
')
optional_policy(`
nscd_read_pid(nsd_crond_t)
')