From: Aki Tuomi <cmouse@desteem.org>
Date: Fri, 17 Jan 2014 08:59:34 +0000 (+0200)
Subject: New policy and context files
X-Git-Tag: rec-3.6.0-rc1~238^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dce4fd489162b92324f5f60202f319454b107981;p=pdns

New policy and context files
---

diff --git a/contrib/selinux/pdns.fc b/contrib/selinux/pdns.fc
index 4d7af1e4e..f841623af 100644
--- a/contrib/selinux/pdns.fc
+++ b/contrib/selinux/pdns.fc
@@ -1,6 +1,9 @@
 /usr/sbin/pdns_server           --      gen_context(system_u:object_r:named_exec_t,s0)
-/etc/pdns/pdns\.conf            --      gen_context(system_u:object_r:named_conf_t,s0)
+/etc/pdns(/.*)?                 --      gen_context(system_u:object_r:named_conf_t,s0)
+/etc/pdns(/.*)?                 -d      gen_context(system_u:object_r:named_conf_t,s0)
 /var/run/pdns\.controlsocket    -s      gen_context(system_u:object_r:named_var_run_t,s0)
 /var/run/pdns\.pid              --      gen_context(system_u:object_r:named_var_run_t,s0)
-/usr/bin/pdns_control		--	gen_context(system_u:object_r:ndc_exec_t,s0)
-/usr/bin/pdnssec		--      gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/pdns_control           --      gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/bin/pdnssec                --      gen_context(system_u:object_r:ndc_exec_t,s0)
+/var/cache/pdns(/.*)?           --      gen_context(system_u:object_r:named_cache_t,s0)
+/var/cache/pdns(/.*)?           -d      gen_context(system_u:object_r:named_cache_t,s0)
diff --git a/contrib/selinux/pdns.te b/contrib/selinux/pdns.te
index 95960d7cc..488b4a6eb 100644
--- a/contrib/selinux/pdns.te
+++ b/contrib/selinux/pdns.te
@@ -1,7 +1,15 @@
-policy_module(pdns,0.9.0)
+policy_module(pdns,0.9.5)
 
 require{
-	type named_t;
+        type named_t;
+        type named_cache_t;
+        type named_conf_t;
+        type named_var_run_t;
+        type ndc_t;
+        type tmp_t;
+        class file { getattr unlink append read setattr write lock create rename link open };
+        class sock_file { create read write unlink setattr getattr };
+        class dir { add_name write read remove_name };
 }
 
 #only needed if using the guardian
@@ -14,3 +22,17 @@ mysql_stream_connect(named_t)
 
 #postgres backend:
 postgresql_stream_connect(named_t)
+
+#bind backend:
+allow named_t named_cache_t:file { getattr unlink append read setattr write lock create rename link open };
+allow named_t named_cache_t:dir { add_name write read remove_name };
+allow named_t named_conf_t:file { read open };
+allow named_t named_var_run_t:file { getattr unlink append read setattr write lock create rename link open };
+
+# other stuff
+allow named_t var_run_t:sock_file { create read write unlink setattr getattr };
+allow ndc_t tmp_t:sock_file { create read write unlink setattr getattr };
+allow ndc_t tmp_t:file {getattr unlink append read setattr write lock create rename link open };
+allow ndc_t tmp_t:dir { add_name write read remove_name };
+allow ndc_t var_run_t:sock_file { create read write unlink };
+allow ndc_t named_conf_t:file { read open };