# DESC selinux policy for djbdns

# http://cr.yp.to/djbdns.html

#

# Author:  petre rodan <kaiowas@gentoo.org>

#

# this policy depends on ucspi-tcp and daemontools policies

#

ifdef(`daemontools.te', `

ifdef(`ucspi-tcp.te', `

define(`djbdns_daemon_domain', `

type djbdns_$1_conf_t, file_type, sysadmfile;

daemon_domain(djbdns_$1)

domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)

svc_ipc_domain(djbdns_$1_t)

can_network(djbdns_$1_t)

allow djbdns_$1_t port_type:tcp_socket name_connect;

allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;

allow djbdns_$1_t port_t:udp_socket name_bind;

r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)

allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };

allow djbdns_$1_t svc_svc_t:dir r_dir_perms;

')

define(`djbdns_tcpserver_domain', `

type djbdns_$1_conf_t, file_type, sysadmfile;

daemon_domain(djbdns_$1)

domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)

svc_ipc_domain(djbdns_$1_t)

allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;

r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)

allow djbdns_$1_t utcpserver_t:tcp_socket { read write };

')

djbdns_daemon_domain(dnscache)

# read seed file

allow djbdns_dnscache_t svc_svc_t:file r_file_perms;

djbdns_daemon_domain(tinydns)

djbdns_tcpserver_domain(axfrdns)

r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)

') dnl ifdef ucspi-tcp.te

') dnl ifdef daemontools.te