1238106Sdespolicy_module(unbound, 0.1.0) 2238106Sdes 3238106Sdestype unbound_t; 4238106Sdestype unbound_conf_t; 5238106Sdestype unbound_exec_t; 6238106Sdestype unbound_initrc_exec_t; 7238106Sdestype unbound_var_run_t; 8238106Sdes 9238106Sdesinit_daemon_domain(unbound_t, unbound_exec_t) 10238106Sdesinit_script_file(unbound_initrc_exec_t) 11238106Sdes 12238106Sdesrole system_r types unbound_t; 13238106Sdes 14238106Sdes# XXX 15238106Sdes# unbound-{checkconf,control} are not protected. Do we need protect them? 16238106Sdes 17238106Sdes# Unbound daemon 18238106Sdes 19238106Sdesauth_use_nsswitch(unbound_t) 20238106Sdesdev_read_urand(unbound_t) 21238106Sdescorenet_all_recvfrom_unlabeled(unbound_t) 22238106Sdescorenet_tcp_bind_all_nodes(unbound_t) 23238106Sdescorenet_tcp_bind_dns_port(unbound_t) 24238106Sdescorenet_tcp_bind_rndc_port(unbound_t) 25238106Sdescorenet_udp_bind_all_nodes(unbound_t) 26238106Sdescorenet_udp_bind_all_unreserved_ports(unbound_t) 27238106Sdescorenet_udp_bind_dns_port(unbound_t) 28238106Sdesfiles_read_etc_files(unbound_t) 29238106Sdesfiles_pid_file(unbound_var_run_t) 30238106Sdesfiles_type(unbound_conf_t) 31238106Sdeslibs_use_ld_so(unbound_t) 32238106Sdeslibs_use_shared_libs(unbound_t) 33238106Sdeslogging_send_syslog_msg(unbound_t) 34238106Sdesmanage_files_pattern(unbound_t, unbound_var_run_t, unbound_var_run_t) 35238106Sdesmiscfiles_read_localization(unbound_t) 36238106Sdesread_files_pattern(unbound_t, unbound_conf_t, unbound_conf_t) 37238106Sdes 38238106Sdesallow unbound_t self:capability { setuid chown net_bind_service setgid dac_override }; 39238106Sdesallow unbound_t self:tcp_socket create_stream_socket_perms; 40238106Sdesallow unbound_t self:udp_socket create_socket_perms; 41238106Sdes 42238106Sdes################################################### 43