|
Chris PeBenito |
31b7c0 |
#DESC TINYDNS - Name server for djbdns
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Authors: Matthew J. Fanto <mattjf@uncompiled.com>
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Based off Named policy file written by
|
|
Chris PeBenito |
31b7c0 |
# Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
|
|
Chris PeBenito |
31b7c0 |
# Russell Coker
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: djbdns-installer djbdns
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the tinydns_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
daemon_domain(tinydns)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
can_exec(tinydns_t, tinydns_exec_t)
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t sbin_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t self:process setsched;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# A type for configuration files of tinydns.
|
|
Chris PeBenito |
31b7c0 |
type tinydns_conf_t, file_type, sysadmfile;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for primary zone files - the data file
|
|
Chris PeBenito |
31b7c0 |
type tinydns_zone_t, file_type, sysadmfile;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t etc_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#tinydns can use network
|
|
Chris PeBenito |
31b7c0 |
can_network_server(tinydns_t)
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
31b7c0 |
# allow UDP transfer to/from any program
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(domain, tinydns_t)
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(tinydns_t, domain)
|
|
Chris PeBenito |
31b7c0 |
# tinydns itself doesn't do zone transfers
|
|
Chris PeBenito |
31b7c0 |
# so we do not need to have it tcp_connect
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#read configuration files
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(tinydns_t, tinydns_conf_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(tinydns_t, tinydns_zone_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# allow tinydns to create datagram sockets (udp)
|
|
Chris PeBenito |
31b7c0 |
# allow tinydns_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Read /dev/random.
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t device_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t random_device_t:chr_file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Set own capabilities.
|
|
Chris PeBenito |
31b7c0 |
allow tinydns_t self:process setcap;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for chmod in start script
|
|
Chris PeBenito |
31b7c0 |
dontaudit initrc_t tinydns_var_run_t:dir setattr;
|