unbound/contrib/selinux/unbound.te

   1 policy_module(unbound, 0.1.0)
   2
   3 type unbound_t;
   4 type unbound_conf_t;
   5 type unbound_exec_t;
   6 type unbound_initrc_exec_t;
   7 type unbound_var_run_t;
   8
   9 init_daemon_domain(unbound_t, unbound_exec_t)
  10 init_script_file(unbound_initrc_exec_t)
  11
  12 role system_r types unbound_t;
  13
  14 # XXX
  15 # unbound-{checkconf,control} are not protected. Do we need protect them?
  16
  17 # Unbound daemon
  18
  19 auth_use_nsswitch(unbound_t)
  20 dev_read_urand(unbound_t)
  21 corenet_all_recvfrom_unlabeled(unbound_t)
  22 corenet_tcp_bind_all_nodes(unbound_t)
  23 corenet_tcp_bind_dns_port(unbound_t)
  24 corenet_tcp_bind_rndc_port(unbound_t)
  25 corenet_udp_bind_all_nodes(unbound_t)
  26 corenet_udp_bind_all_unreserved_ports(unbound_t)
  27 corenet_udp_bind_dns_port(unbound_t)
  28 files_read_etc_files(unbound_t)
  29 files_pid_file(unbound_var_run_t)
  30 files_type(unbound_conf_t)
  31 libs_use_ld_so(unbound_t)
  32 libs_use_shared_libs(unbound_t)
  33 logging_send_syslog_msg(unbound_t)
  34 manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t)
  35 miscfiles_read_localization(unbound_t)
  36 read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t)
  37
  38 allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override };
  39 allow unbound_t self:tcp_socket create_stream_socket_perms;
  40 allow unbound_t self:udp_socket create_socket_perms;
  41
  42 ###################################################