mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
SElinux policy files.
git-svn-id: file:///svn/unbound/trunk@1379 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
386ff5debe
commit
9a9f012352
@ -8,3 +8,4 @@ distribution but may be helpful.
|
||||
* update-anchor.sh: shell script that uses unbound-host to update a set
|
||||
of trust anchor files. Run from cron twice a month.
|
||||
* unbound_munin_ : plugin for munin statistics report
|
||||
* selinux: the .fc and .te files for SElinux protection of the unbound daemon
|
||||
|
4
contrib/selinux/unbound.fc
Normal file
4
contrib/selinux/unbound.fc
Normal file
@ -0,0 +1,4 @@
|
||||
/etc/unbound(/.*)? system_u:object_r:unbound_conf_t:s0
|
||||
/etc/rc\.d/init\.d/unbound -- system_u:object_r:unbound_initrc_exec_t:s0
|
||||
/usr/sbin/unbound -- system_u:object_r:unbound_exec_t:s0
|
||||
/var/run/unbound(/.*)? system_u:object_r:unbound_var_run_t:s0
|
42
contrib/selinux/unbound.te
Normal file
42
contrib/selinux/unbound.te
Normal file
@ -0,0 +1,42 @@
|
||||
policy_module(unbound, 0.1.0)
|
||||
|
||||
type unbound_t;
|
||||
type unbound_conf_t;
|
||||
type unbound_exec_t;
|
||||
type unbound_initrc_exec_t;
|
||||
type unbound_var_run_t;
|
||||
|
||||
init_daemon_domain(unbound_t, unbound_exec_t)
|
||||
init_script_file(unbound_initrc_exec_t)
|
||||
|
||||
role system_r types unbound_t;
|
||||
|
||||
# XXX
|
||||
# unbound-{checkconf,control} are not protected. Do we need protect them?
|
||||
|
||||
# Unbound daemon
|
||||
|
||||
auth_use_nsswitch(unbound_t)
|
||||
dev_read_urand(unbound_t)
|
||||
corenet_all_recvfrom_unlabeled(unbound_t)
|
||||
corenet_tcp_bind_all_nodes(unbound_t)
|
||||
corenet_tcp_bind_dns_port(unbound_t)
|
||||
corenet_tcp_bind_rndc_port(unbound_t)
|
||||
corenet_udp_bind_all_nodes(unbound_t)
|
||||
corenet_udp_bind_all_unreserved_ports(unbound_t)
|
||||
corenet_udp_bind_dns_port(unbound_t)
|
||||
files_read_etc_files(unbound_t)
|
||||
files_pid_file(unbound_var_run_t)
|
||||
files_type(unbound_conf_t)
|
||||
libs_use_ld_so(unbound_t)
|
||||
libs_use_shared_libs(unbound_t)
|
||||
logging_send_syslog_msg(unbound_t)
|
||||
manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t)
|
||||
miscfiles_read_localization(unbound_t)
|
||||
read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t)
|
||||
|
||||
allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override };
|
||||
allow unbound_t self:tcp_socket create_stream_socket_perms;
|
||||
allow unbound_t self:udp_socket create_socket_perms;
|
||||
|
||||
###################################################
|
@ -1,3 +1,7 @@
|
||||
1 December 2008: Wouter
|
||||
- SElinux policy files in contrib/selinux for the unbound daemon,
|
||||
by Paul Wouters and Adam Tkac.
|
||||
|
||||
25 November 2008: Wouter
|
||||
- configure complains when --without-ssl is given (bug #220).
|
||||
- skip unsupported feature tests on vista/mingw.
|
||||
|
Loading…
Reference in New Issue
Block a user