1policy_module(unbound, 0.1.0) 2 3type unbound_t; 4type unbound_conf_t; 5type unbound_exec_t; 6type unbound_initrc_exec_t; 7type unbound_var_run_t; 8 9init_daemon_domain(unbound_t, unbound_exec_t) 10init_script_file(unbound_initrc_exec_t) 11 12role system_r types unbound_t; 13 14# XXX 15# unbound-{checkconf,control} are not protected. Do we need protect them? 16 17# Unbound daemon 18 19auth_use_nsswitch(unbound_t) 20dev_read_urand(unbound_t) 21corenet_all_recvfrom_unlabeled(unbound_t) 22corenet_tcp_bind_all_nodes(unbound_t) 23corenet_tcp_bind_dns_port(unbound_t) 24corenet_tcp_bind_rndc_port(unbound_t) 25corenet_udp_bind_all_nodes(unbound_t) 26corenet_udp_bind_all_unreserved_ports(unbound_t) 27corenet_udp_bind_dns_port(unbound_t) 28files_read_etc_files(unbound_t) 29files_pid_file(unbound_var_run_t) 30files_type(unbound_conf_t) 31libs_use_ld_so(unbound_t) 32libs_use_shared_libs(unbound_t) 33logging_send_syslog_msg(unbound_t) 34manage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t) 35miscfiles_read_localization(unbound_t) 36read_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t) 37 38allow unbound_t self:capability { setuid chown net_bind_service setgid dac_override }; 39allow unbound_t self:tcp_socket create_stream_socket_perms; 40allow unbound_t self:udp_socket create_socket_perms; 41 42################################################### 43