diff options
| author | Riccardo Spagni <ric@spagni.net> | 2014-10-05 23:44:31 +0200 |
|---|---|---|
| committer | Riccardo Spagni <ric@spagni.net> | 2014-10-05 23:44:31 +0200 |
| commit | 9ef094b356b4da7542c3cab898dac7e135b76903 (patch) | |
| tree | 99b5876712b0b1551fc042fe75447b998e4b0fc1 /external/unbound/contrib/selinux | |
| parent | split mnemonic printout over 3 lines (diff) | |
| download | monero-9ef094b356b4da7542c3cab898dac7e135b76903.tar.xz | |
added unbound to external deps
Diffstat (limited to 'external/unbound/contrib/selinux')
| -rw-r--r-- | external/unbound/contrib/selinux/unbound.fc | 4 | ||||
| -rw-r--r-- | external/unbound/contrib/selinux/unbound.te | 42 |
2 files changed, 46 insertions, 0 deletions
diff --git a/external/unbound/contrib/selinux/unbound.fc b/external/unbound/contrib/selinux/unbound.fc new file mode 100644 index 000000000..f7e63eada --- /dev/null +++ b/external/unbound/contrib/selinux/unbound.fc @@ -0,0 +1,4 @@ +/etc/unbound(/.*)? system_u:object_r:unbound_conf_t:s0 +/etc/rc\.d/init\.d/unbound -- system_u:object_r:unbound_initrc_exec_t:s0 +/usr/sbin/unbound -- system_u:object_r:unbound_exec_t:s0 +/var/run/unbound(/.*)? system_u:object_r:unbound_var_run_t:s0 diff --git a/external/unbound/contrib/selinux/unbound.te b/external/unbound/contrib/selinux/unbound.te new file mode 100644 index 000000000..d407ed351 --- /dev/null +++ b/external/unbound/contrib/selinux/unbound.te @@ -0,0 +1,42 @@ +policy_module(unbound, 0.1.0) + +type unbound_t; +type unbound_conf_t; +type unbound_exec_t; +type unbound_initrc_exec_t; +type unbound_var_run_t; + +init_daemon_domain(unbound_t, unbound_exec_t) +init_script_file(unbound_initrc_exec_t) + +role system_r types unbound_t; + +# XXX +# unbound-{checkconf,control} are not protected. Do we need protect them? + +# Unbound daemon + +auth_use_nsswitch(unbound_t) +dev_read_urand(unbound_t) +corenet_all_recvfrom_unlabeled(unbound_t) +corenet_tcp_bind_all_nodes(unbound_t) +corenet_tcp_bind_dns_port(unbound_t) +corenet_tcp_bind_rndc_port(unbound_t) +corenet_udp_bind_all_nodes(unbound_t) +corenet_udp_bind_all_unreserved_ports(unbound_t) +corenet_udp_bind_dns_port(unbound_t) +files_read_etc_files(unbound_t) +files_pid_file(unbound_var_run_t) +files_type(unbound_conf_t) +libs_use_ld_so(unbound_t) +libs_use_shared_libs(unbound_t) +logging_send_syslog_msg(unbound_t) +manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t) +miscfiles_read_localization(unbound_t) +read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t) + +allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override }; +allow unbound_t self:tcp_socket create_stream_socket_perms; +allow unbound_t self:udp_socket create_socket_perms; + +################################################### |