diff options
-rw-r--r-- | pdns.fc | 7 | ||||
-rw-r--r-- | pdns.if | 41 | ||||
-rw-r--r-- | pdns.te | 86 |
3 files changed, 134 insertions, 0 deletions
@@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/pdns -- gen_context(system_u:object_r:pdns_initrc_exec_t,s0) +/usr/lib/systemd/system/pdns.* -- gen_context(system_u:object_r:pdns_unit_file_t,s0) +/usr/bin/pdns_control -- gen_context(system_u:object_r:pdns_control_exec_t,s0) +/usr/sbin/pdns_server -- gen_context(system_u:object_r:pdns_exec_t,s0) +/var/run/pdns\.pid -- gen_context(system_u:object_r:pdns_var_run_t,s0) +/var/run/pdns\.controlsocket -s gen_context(system_u:object_r:pdns_var_run_t,s0) +/etc/pdns(/.*)? gen_context(system_u:object_r:pdns_conf_t,s0) @@ -0,0 +1,41 @@ +## <summary>PowerDNS DNS server.</summary> + +######################################## +## <summary> +## Execute pdns in the pdns domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# + +interface(`pdns_domtrans',` + gen_require(` + type pdns_t, pdns_exec_t; + ') + + domtrans_pattern($1, pdns_exec_t, pdns_t) +') + +######################################## +## <summary> +## Execute pdns_control in the pdns_control domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pdns_domtrans_pdns_control',` + gen_require(` + type pdns_control_t, pdns_control_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pdns_control_exec_t, pdns_control_t) +') + + @@ -0,0 +1,86 @@ +policy_module(pdns, 1.0.0) + +######################################## +# +# Declarations +# + +attribute_role pdns_control_roles; + +type pdns_t; +type pdns_exec_t; +init_daemon_domain(pdns_t, pdns_exec_t) + +permissive pdns_t; + +type pdns_initrc_exec_t; +init_script_file(pdns_initrc_exec_t) + +type pdns_unit_file_t; +systemd_unit_file(pdns_unit_file_t) + +type pdns_conf_t; +files_config_file(pdns_conf_t) + +type pdns_var_run_t; +files_pid_file(pdns_var_run_t) + +type pdns_control_t; +type pdns_control_exec_t; +init_system_domain(pdns_control_t, pdns_control_exec_t) +role pdns_control_roles types pdns_control_t; + +type pdns_control_tmp_t; +files_tmp_file(pdns_control_tmp_t) +files_tmp_filetrans(pdns_control_t, pdns_control_tmp_t, { file sock_file }) + +######################################## +# +# pdns local policy +# + +allow pdns_t self:capability { setuid setgid chown }; +allow pdns_t self:tcp_socket create_stream_socket_perms; +allow pdns_t self:udp_socket create_socket_perms; +allow pdns_t self:unix_dgram_socket create_socket_perms; +allow pdns_t pdns_conf_t:file read_file_perms; +allow pdns_t pdns_conf_t:dir search; + +corenet_tcp_bind_dns_port(pdns_t) +corenet_udp_bind_dns_port(pdns_t) + +files_pid_filetrans(pdns_t, pdns_var_run_t, { file sock_file }) +manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) +manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) + +auth_use_nsswitch(pdns_t) + +dev_read_urand(pdns_t) + +logging_send_syslog_msg(pdns_t) + + +######################################## +# +# pdns_control local policy +# + +allow pdns_control_t pdns_conf_t:file read_file_perms; +stream_connect_pattern(pdns_control_t, pdns_var_run_t, pdns_var_run_t, pdns_t) +manage_files_pattern(pdns_control_t, pdns_control_tmp_t, pdns_control_tmp_t) +manage_sock_files_pattern(pdns_control_t, pdns_control_tmp_t, pdns_control_tmp_t) + + +######################################## +# +# optional policy +# + +optional_policy(` + mysql_read_config(pdns_t) + mysql_stream_connect(pdns_t) +') + +optional_policy(` + postgresql_stream_connect(pdns_t) +') |