#DESC BIND - Name server

#

# Authors:  Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,

#           Russell Coker

# X-Debian-Packages: bind bind9

# 

#

#################################

#

# Rules for the named_t domain.

#

daemon_domain(named, `, nscd_client_domain')

tmp_domain(named)

type named_checkconf_exec_t, file_type, exec_type, sysadmfile;

domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)

# For /var/run/ndc used in BIND 8

file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)

# ndc_t is the domain for the ndc program

type ndc_t, domain, privlog, nscd_client_domain;

role sysadm_r types ndc_t;

role system_r types ndc_t;

ifdef(`targeted_policy', `

dontaudit ndc_t root_t:file { getattr read };

dontaudit ndc_t unlabeled_t:file { getattr read };	

')

can_exec(named_t, named_exec_t)

allow named_t sbin_t:dir search;

allow named_t self:process { setsched setcap setrlimit };

# A type for configuration files of named.

type named_conf_t, file_type, sysadmfile, mount_point;

# for primary zone files

type named_zone_t, file_type, sysadmfile;

# for secondary zone files

type named_cache_t, file_type, sysadmfile;

# for DNSSEC key files

type dnssec_t, file_type, sysadmfile, secure_file_type;

allow { ndc_t named_t } dnssec_t:file { getattr read };

# Use capabilities. Surplus capabilities may be allowed.

allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };

allow named_t etc_t:file { getattr read };

allow named_t etc_runtime_t:{ file lnk_file } { getattr read };

#Named can use network

can_network(named_t)

allow named_t port_type:tcp_socket name_connect;

can_ypbind(named_t)

# allow UDP transfer to/from any program

can_udp_send(domain, named_t)

can_udp_send(named_t, domain)

can_tcp_connect(domain, named_t)

log_domain(named)

# Bind to the named port.

allow named_t dns_port_t:udp_socket name_bind;

allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;

bool named_write_master_zones false;

#read configuration files

r_dir_file(named_t, named_conf_t)

if (named_write_master_zones) {

#create and modify zone files

create_dir_file(named_t, named_zone_t)

}

#read zone files

r_dir_file(named_t, named_zone_t)

#write cache for secondary zones

rw_dir_create_file(named_t, named_cache_t)

allow named_t self:unix_stream_socket create_stream_socket_perms;

allow named_t self:unix_dgram_socket create_socket_perms;

allow named_t self:netlink_route_socket r_netlink_socket_perms;

# Read sysctl kernel variables.

read_sysctl(named_t)

# Read /proc/cpuinfo and /proc/net

r_dir_file(named_t, proc_t)

r_dir_file(named_t, proc_net_t)

# Read /dev/random.

allow named_t device_t:dir r_dir_perms;

allow named_t random_device_t:chr_file r_file_perms;

# Use a pipe created by self.

allow named_t self:fifo_file rw_file_perms;

# Enable named dbus support:

ifdef(`dbusd.te', `

dbusd_client(system, named)

domain_auto_trans(system_dbusd_t, named_exec_t, named_t)

allow named_t system_dbusd_t:dbus { acquire_svc send_msg };

allow named_t self:dbus send_msg;

allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;

allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;

ifdef(`unconfined.te', `

allow unconfined_t named_t:dbus send_msg;

allow named_t unconfined_t:dbus send_msg;

')

')

# Set own capabilities.

#A type for /usr/sbin/ndc

type ndc_exec_t, file_type,sysadmfile, exec_type;

domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)

uses_shlib(ndc_t)

can_network_client_tcp(ndc_t)

allow ndc_t rndc_port_t:tcp_socket name_connect;

can_ypbind(ndc_t)

can_resolve(ndc_t)

read_locale(ndc_t)

can_tcp_connect(ndc_t, named_t)

ifdef(`distro_redhat', `

# for /etc/rndc.key

allow { ndc_t initrc_t } named_conf_t:dir search;

# Allow init script to cp localtime to named_conf_t

allow initrc_t named_conf_t:file { setattr write };

allow initrc_t named_conf_t:dir create_dir_perms;

allow initrc_t var_run_t:lnk_file create_file_perms;

ifdef(`automount.te', `

# automount has no need to search the /proc file system for the named chroot

dontaudit automount_t named_zone_t:dir search;

')dnl end ifdef automount.te

')dnl end ifdef distro_redhat

allow { ndc_t initrc_t } named_conf_t:file { getattr read };

allow ndc_t etc_t:dir r_dir_perms;

allow ndc_t etc_t:file r_file_perms;

allow ndc_t self:unix_stream_socket create_stream_socket_perms;

allow ndc_t self:unix_stream_socket connect;

allow ndc_t self:capability { dac_override net_admin };

allow ndc_t var_t:dir search;

allow ndc_t var_run_t:dir search;

allow ndc_t named_var_run_t:sock_file rw_file_perms;

allow ndc_t named_t:unix_stream_socket connectto;

allow ndc_t { privfd init_t }:fd use;

# seems to need read as well for some reason

allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };

allow ndc_t fs_t:filesystem getattr;

# Read sysctl kernel variables.

read_sysctl(ndc_t)

allow ndc_t self:process { fork signal_perms };

allow ndc_t self:fifo_file { read write getattr ioctl };

allow ndc_t named_zone_t:dir search;

# for chmod in start script

dontaudit initrc_t named_var_run_t:dir setattr;

# for ndc_t to be used for restart shell scripts

ifdef(`ndc_shell_script', `

system_crond_entry(ndc_exec_t, ndc_t)

allow ndc_t devtty_t:chr_file { read write ioctl };

allow ndc_t etc_runtime_t:file { getattr read };

allow ndc_t proc_t:dir search;

allow ndc_t proc_t:file { getattr read };

can_exec(ndc_t, { bin_t sbin_t shell_exec_t })

allow ndc_t named_var_run_t:file getattr;

allow ndc_t named_zone_t:dir { read getattr };

allow ndc_t named_zone_t:file getattr;

dontaudit ndc_t sysadm_home_t:dir { getattr search read };

')

allow ndc_t self:netlink_route_socket r_netlink_socket_perms;

dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };