policy_module(pdns, 1.0.2) ######################################## # # Declarations # ## ##

## Allow PowerDNS to connect to databases over the network. ##

## gen_tunable(pdns_can_network_connect_db, false) type pdns_t; type pdns_exec_t; init_daemon_domain(pdns_t, pdns_exec_t) init_nnp_daemon_domain(pdns_t) type pdns_unit_file_t; systemd_unit_file(pdns_unit_file_t) type pdns_conf_t; files_config_file(pdns_conf_t) type pdns_var_lib_t; files_type(pdns_var_lib_t) type pdns_var_run_t; files_pid_file(pdns_var_run_t) type pdns_control_t; type pdns_control_exec_t; init_system_domain(pdns_control_t, pdns_control_exec_t) ######################################## # # pdns_t local policy # allow pdns_t self:capability { setuid setgid chown }; allow pdns_t self:tcp_socket create_stream_socket_perms; allow pdns_t self:udp_socket create_socket_perms; allow pdns_t self:unix_dgram_socket create_socket_perms; pdns_read_config(pdns_t) kernel_read_network_state(pdns_t) kernel_read_system_state(pdns_t) corenet_tcp_bind_dns_port(pdns_t) corenet_udp_bind_dns_port(pdns_t) corenet_tcp_bind_transproxy_port(pdns_t) manage_dirs_pattern(pdns_t, pdns_var_lib_t, pdns_var_lib_t) manage_files_pattern(pdns_t, pdns_var_lib_t, pdns_var_lib_t) files_var_lib_filetrans(pdns_t, pdns_var_lib_t, { dir file }) allow pdns_t pdns_var_lib_t:file map; files_pid_filetrans(pdns_t, pdns_var_run_t, { file sock_file }) manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) auth_use_nsswitch(pdns_t) corenet_udp_bind_generic_port(pdns_t) logging_send_syslog_msg(pdns_t) ######################################## # # pdns_control_t local policy # pdns_read_config(pdns_control_t) stream_connect_pattern(pdns_control_t, pdns_var_run_t, pdns_var_run_t, pdns_t) ######################################## # # optional policy # optional_policy(` mysql_read_config(pdns_t) mysql_stream_connect(pdns_t) tunable_policy(`pdns_can_network_connect_db',` mysql_tcp_connect(pdns_t) ') ') optional_policy(` postgresql_stream_connect(pdns_t) tunable_policy(`pdns_can_network_connect_db',` postgresql_tcp_connect(pdns_t) ') ')