From: vaclav.ovsik@i.cz (=?iso-8859-2?Q?V=E1clav_Ovs=EDk?=)
Date: Tue, 2 Sep 2008 15:04:44 +0200
Subject: [refpolicy] Debian: Bind: FC of conf files
Message-ID: <20080902130444.GA30953@bobek.pm.i.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,
I noticed bad context of a part of ISC Bind configuration files on
Debian. Default configuration uses multi-file named.conf. (named.conf
includes named.conf.options & named.conf.local) All parts should
probably have the same context (named_conf_t).

sid:/etc/bind# ls -Z
system_u:object_r:named_zone_t:s0 db.0
system_u:object_r:named_zone_t:s0 db.127
system_u:object_r:named_zone_t:s0 db.255
system_u:object_r:named_zone_t:s0 db.empty
system_u:object_r:named_zone_t:s0 db.local
system_u:object_r:named_zone_t:s0 db.root
system_u:object_r:named_conf_t:s0 named.conf
system_u:object_r:named_zone_t:s0 named.conf.local
system_u:object_r:named_zone_t:s0 named.conf.options
    system_u:object_r:dnssec_t:s0 rndc.key
system_u:object_r:named_zone_t:s0 zones.rfc1918
sid:/etc/bind# 

A patch fixes this.
Regards
-- 
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/services/bind.fc
===================================================================
--- selinux-policy-src.orig/policy/modules/services/bind.fc	2008-09-02 14:15:12.000000000 +0200
+++ selinux-policy-src/policy/modules/services/bind.fc	2008-09-02 14:17:11.000000000 +0200
@@ -15,6 +15,8 @@
 ifdef(`distro_debian',`
 /etc/bind(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
 /etc/bind/named\.conf	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local --	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
 /etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /var/cache/bind(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 ')