Chris PeBenito 0fbfa5
#DESC BIND - Name server
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
Chris PeBenito 0fbfa5
#           Russell Coker
Chris PeBenito 0fbfa5
# X-Debian-Packages: bind bind9
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the named_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
daemon_domain(named, `, nscd_client_domain')
Chris PeBenito 0fbfa5
tmp_domain(named)
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2
type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
Chris PeBenito 5493c2
domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
Chris PeBenito 5493c2
Chris PeBenito 0fbfa5
# For /var/run/ndc used in BIND 8
Chris PeBenito 0fbfa5
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# ndc_t is the domain for the ndc program
Chris PeBenito 0fbfa5
type ndc_t, domain, privlog, nscd_client_domain;
Chris PeBenito 0fbfa5
role sysadm_r types ndc_t;
Chris PeBenito 0fbfa5
role system_r types ndc_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`targeted_policy', `
Chris PeBenito 0fbfa5
dontaudit ndc_t root_t:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit ndc_t unlabeled_t:file { getattr read };	
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec(named_t, named_exec_t)
Chris PeBenito 0fbfa5
allow named_t sbin_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow named_t self:process { setsched setcap setrlimit };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# A type for configuration files of named.
Chris PeBenito 0fbfa5
type named_conf_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for primary zone files
Chris PeBenito 0fbfa5
type named_zone_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for secondary zone files
Chris PeBenito 0fbfa5
type named_cache_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for DNSSEC key files
Chris PeBenito 0fbfa5
type dnssec_t, file_type, sysadmfile, secure_file_type;
Chris PeBenito 0fbfa5
allow { ndc_t named_t } dnssec_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities. Surplus capabilities may be allowed.
Chris PeBenito 0fbfa5
allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow named_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#Named can use network
Chris PeBenito 0fbfa5
can_network(named_t)
Chris PeBenito 5493c2
allow named_t port_type:tcp_socket name_connect;
Chris PeBenito 0fbfa5
can_ypbind(named_t)
Chris PeBenito 0fbfa5
# allow UDP transfer to/from any program
Chris PeBenito 0fbfa5
can_udp_send(domain, named_t)
Chris PeBenito 0fbfa5
can_udp_send(named_t, domain)
Chris PeBenito 0fbfa5
can_tcp_connect(domain, named_t)
Chris PeBenito 5493c2
log_domain(named)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Bind to the named port.
Chris PeBenito 0fbfa5
allow named_t dns_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
bool named_write_master_zones false;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#read configuration files
Chris PeBenito 0fbfa5
r_dir_file(named_t, named_conf_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
if (named_write_master_zones) {
Chris PeBenito 0fbfa5
#create and modify zone files
Chris PeBenito 0fbfa5
create_dir_file(named_t, named_zone_t)
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
#read zone files
Chris PeBenito 0fbfa5
r_dir_file(named_t, named_zone_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#write cache for secondary zones
Chris PeBenito 0fbfa5
rw_dir_create_file(named_t, named_cache_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow named_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow named_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow named_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read sysctl kernel variables.
Chris PeBenito 0fbfa5
read_sysctl(named_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /proc/cpuinfo and /proc/net
Chris PeBenito 0fbfa5
r_dir_file(named_t, proc_t)
Chris PeBenito 0fbfa5
r_dir_file(named_t, proc_net_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /dev/random.
Chris PeBenito 0fbfa5
allow named_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow named_t random_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use a pipe created by self.
Chris PeBenito 0fbfa5
allow named_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set own capabilities.
Chris PeBenito 0fbfa5
#A type for /usr/sbin/ndc
Chris PeBenito 0fbfa5
type ndc_exec_t, file_type,sysadmfile, exec_type;
Chris PeBenito 0fbfa5
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
Chris PeBenito 0fbfa5
uses_shlib(ndc_t)
Chris PeBenito 0fbfa5
can_network_client_tcp(ndc_t)
Chris PeBenito 5493c2
allow ndc_t rndc_port_t:tcp_socket name_connect;
Chris PeBenito 0fbfa5
can_ypbind(ndc_t)
Chris PeBenito 0fbfa5
can_resolve(ndc_t)
Chris PeBenito 0fbfa5
read_locale(ndc_t)
Chris PeBenito 0fbfa5
can_tcp_connect(ndc_t, named_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 77f6e2
# for /etc/rndc.key
Chris PeBenito 0fbfa5
allow { ndc_t initrc_t } named_conf_t:dir search;
Chris PeBenito 0fbfa5
# Allow init script to cp localtime to named_conf_t
Chris PeBenito 0fbfa5
allow initrc_t named_conf_t:file { setattr write };
Chris PeBenito 5493c2
allow initrc_t named_conf_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ndc_t etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow ndc_t etc_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow ndc_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow ndc_t self:unix_stream_socket connect;
Chris PeBenito 0fbfa5
allow ndc_t self:capability { dac_override net_admin };
Chris PeBenito 0fbfa5
allow ndc_t var_t:dir search;
Chris PeBenito 0fbfa5
allow ndc_t var_run_t:dir search;
Chris PeBenito 0fbfa5
allow ndc_t named_var_run_t:sock_file rw_file_perms;
Chris PeBenito 0fbfa5
allow ndc_t named_t:unix_stream_socket connectto;
Chris PeBenito 0fbfa5
allow ndc_t { privfd init_t }:fd use;
Chris PeBenito 0fbfa5
# seems to need read as well for some reason
Chris PeBenito 0fbfa5
allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
Chris PeBenito 0fbfa5
allow ndc_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read sysctl kernel variables.
Chris PeBenito 0fbfa5
read_sysctl(ndc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ndc_t self:process { fork signal_perms };
Chris PeBenito 0fbfa5
allow ndc_t self:fifo_file { read write getattr ioctl };
Chris PeBenito 0fbfa5
allow ndc_t named_zone_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for chmod in start script
Chris PeBenito 0fbfa5
dontaudit initrc_t named_var_run_t:dir setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for ndc_t to be used for restart shell scripts
Chris PeBenito 0fbfa5
ifdef(`ndc_shell_script', `
Chris PeBenito 0fbfa5
system_crond_entry(ndc_exec_t, ndc_t)
Chris PeBenito 0fbfa5
allow ndc_t devtty_t:chr_file { read write ioctl };
Chris PeBenito 0fbfa5
allow ndc_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
allow ndc_t proc_t:dir search;
Chris PeBenito 0fbfa5
allow ndc_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
Chris PeBenito 0fbfa5
allow ndc_t named_var_run_t:file getattr;
Chris PeBenito 0fbfa5
allow ndc_t named_zone_t:dir { read getattr };
Chris PeBenito 0fbfa5
allow ndc_t named_zone_t:file getattr;
Chris PeBenito 0fbfa5
dontaudit ndc_t sysadm_home_t:dir { getattr search read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };