#DESC TINYDNS - Name server for djbdns
#
# Authors:  Matthew J. Fanto <mattjf@uncompiled.com>
# 
# Based off Named policy file written by
# 	Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
# 	Russell Coker
# X-Debian-Packages: djbdns-installer djbdns
# 
#

#################################
#
# Rules for the tinydns_t domain.
#
daemon_domain(tinydns)

can_exec(tinydns_t, tinydns_exec_t)
allow tinydns_t sbin_t:dir search;

allow tinydns_t self:process setsched;

# A type for configuration files of tinydns.
type tinydns_conf_t, file_type, sysadmfile;

# for primary zone files - the data file
type tinydns_zone_t, file_type, sysadmfile;

allow tinydns_t etc_t:file { getattr read };
allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };

#tinydns can use network
can_network_server(tinydns_t)
allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
# allow UDP transfer to/from any program
can_udp_send(domain, tinydns_t)
can_udp_send(tinydns_t, domain)
# tinydns itself doesn't do zone transfers
# so we do not need to have it tcp_connect

#read configuration files
r_dir_file(tinydns_t, tinydns_conf_t)

r_dir_file(tinydns_t, tinydns_zone_t)

# allow tinydns to create datagram sockets (udp)
# allow tinydns_t self:unix_stream_socket create_stream_socket_perms;
allow tinydns_t self:unix_dgram_socket create_socket_perms;

# Read /dev/random.
allow tinydns_t device_t:dir r_dir_perms;
allow tinydns_t random_device_t:chr_file r_file_perms;

# Set own capabilities.
allow tinydns_t self:process setcap;

# for chmod in start script
dontaudit initrc_t tinydns_var_run_t:dir setattr;