New policy and context files

diff --git a/contrib/selinux/pdns.fc b/contrib/selinux/pdns.fc
index 4d7af1e4e0d2a97766f45a97f36d8030f2acd37f..f841623af81ffc7664d7e31f9cc3aa191f0b149a 100644 (file)
--- a/contrib/selinux/pdns.fc
+++ b/contrib/selinux/pdns.fc
@@ -1,6 +1,9 @@
 /usr/sbin/pdns_server           --      gen_context(system_u:object_r:named_exec_t,s0)
-/etc/pdns/pdns\.conf            --      gen_context(system_u:object_r:named_conf_t,s0)
+/etc/pdns(/.*)?                 --      gen_context(system_u:object_r:named_conf_t,s0)
+/etc/pdns(/.*)?                 -d      gen_context(system_u:object_r:named_conf_t,s0)
 /var/run/pdns\.controlsocket    -s      gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/pdns\.pid              --      gen_context(system_u:object_r:named_var_run_t,s0)
-/usr/bin/pdns_control          --      gen_context(system_u:object_r:ndc_exec_t,s0)
-/usr/bin/pdnssec               --      gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/pdns_control           --      gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/pdnssec                --      gen_context(system_u:object_r:ndc_exec_t,s0)
+/var/cache/pdns(/.*)?           --      gen_context(system_u:object_r:named_cache_t,s0)
+/var/cache/pdns(/.*)?           -d      gen_context(system_u:object_r:named_cache_t,s0)

diff --git a/contrib/selinux/pdns.te b/contrib/selinux/pdns.te
index 95960d7cc5e7ee5fc0a764398b9ac8b7d59adb80..488b4a6eb0e1ffec9b10576b98591a4772fb5b4c 100644 (file)
--- a/contrib/selinux/pdns.te
+++ b/contrib/selinux/pdns.te
@@ -1,7 +1,15 @@
-policy_module(pdns,0.9.0)
+policy_module(pdns,0.9.5)
 
 require{
-       type named_t;
+        type named_t;
+        type named_cache_t;
+        type named_conf_t;
+        type named_var_run_t;
+        type ndc_t;
+        type tmp_t;
+        class file { getattr unlink append read setattr write lock create rename link open };
+        class sock_file { create read write unlink setattr getattr };
+        class dir { add_name write read remove_name };
 }
 
 #only needed if using the guardian
@@ -14,3 +22,17 @@ mysql_stream_connect(named_t)
 
 #postgres backend:
 postgresql_stream_connect(named_t)
+
+#bind backend:
+allow named_t named_cache_t:file { getattr unlink append read setattr write lock create rename link open };
+allow named_t named_cache_t:dir { add_name write read remove_name };
+allow named_t named_conf_t:file { read open };
+allow named_t named_var_run_t:file { getattr unlink append read setattr write lock create rename link open };
+
+# other stuff
+allow named_t var_run_t:sock_file { create read write unlink setattr getattr };
+allow ndc_t tmp_t:sock_file { create read write unlink setattr getattr };
+allow ndc_t tmp_t:file {getattr unlink append read setattr write lock create rename link open };
+allow ndc_t tmp_t:dir { add_name write read remove_name };
+allow ndc_t var_run_t:sock_file { create read write unlink };
+allow ndc_t named_conf_t:file { read open };