add selinux policy files

diff --git a/contrib/selinux/pdns.fc b/contrib/selinux/pdns.fc
new file mode 100644 (file)
index 0000000..4d7af1e
--- /dev/null
+++ b/contrib/selinux/pdns.fc
@@ -0,0 +1,6 @@
+/usr/sbin/pdns_server           --      gen_context(system_u:object_r:named_exec_t,s0)
+/etc/pdns/pdns\.conf            --      gen_context(system_u:object_r:named_conf_t,s0)
+/var/run/pdns\.controlsocket    -s      gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/pdns\.pid              --      gen_context(system_u:object_r:named_var_run_t,s0)
+/usr/bin/pdns_control          --      gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/pdnssec               --      gen_context(system_u:object_r:ndc_exec_t,s0)

diff --git a/contrib/selinux/pdns.if b/contrib/selinux/pdns.if
new file mode 100644 (file)
index 0000000..3eb6a30
--- /dev/null
+++ b/contrib/selinux/pdns.if
@@ -0,0 +1 @@
+## <summary></summary>

diff --git a/contrib/selinux/pdns.te b/contrib/selinux/pdns.te
new file mode 100644 (file)
index 0000000..95960d7
--- /dev/null
+++ b/contrib/selinux/pdns.te
@@ -0,0 +1,16 @@
+policy_module(pdns,0.9.0)
+
+require{
+       type named_t;
+}
+
+#only needed if using the guardian
+allow named_t self:capability { kill };
+
+#gmysql backend:
+mysql_read_config(named_t)
+files_read_usr_files(named_t)
+mysql_stream_connect(named_t)
+
+#postgres backend:
+postgresql_stream_connect(named_t)