[selinux-policy: 2011/3172] trunk: bind update from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:58:39 UTC 2010 

commit f5394cc3cb933961c665dbe4f50bfda5cc043ddc
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Sep 15 17:02:57 2008 +0000

    trunk: bind update from dan.

 policy/modules/services/bind.fc |    1 +
 policy/modules/services/bind.if |   26 ++++++++++++++++++++++++++
 policy/modules/services/bind.te |    8 ++++++--
 3 files changed, 33 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index 5680a4e..7347588 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,3 +1,4 @@
+/etc/rc.d/init.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 /etc/rndc.*		--	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/rndc\.key 		-- 	gen_context(system_u:object_r:dnssec_t,s0)
 
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index e0932ca..52f2d2c 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -254,3 +254,29 @@ interface(`bind_read_zone',`
 interface(`bind_udp_chat_named',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an bind environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+	gen_require(`
+		type named_t, ndc_t;
+	')
+
+	allow $1 named_t:process { ptrace signal_perms };
+	ps_process_pattern($1, named_t)
+	        
+	allow $1 ndc_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ndc_t)
+	        
+	bind_run_ndc($1, $2, $3)
+')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index d3097df..2b95c2b 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
 
-policy_module(bind, 1.7.1)
+policy_module(bind, 1.7.2)
 
 ########################################
 #
@@ -35,6 +35,9 @@ files_mountpoint(named_conf_t)
 type named_cache_t;
 files_type(named_cache_t)
 
+type named_initrc_exec_t;
+init_script_file(named_initrc_exec_t)
+
 type named_log_t;
 logging_log_file(named_log_t)
 
@@ -60,7 +63,7 @@ role system_r types ndc_t;
 
 allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched setcap setrlimit signal_perms };
+allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket create_stream_socket_perms;
 allow named_t self:unix_dgram_socket create_socket_perms;
@@ -222,6 +225,7 @@ corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_all_if(ndc_t)
 corenet_tcp_sendrecv_all_nodes(ndc_t)
 corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_bind_all_nodes(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
 corenet_sendrecv_rndc_client_packets(ndc_t)

More information about the scm-commits mailing list