You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
95 lines
2.4 KiB
Plaintext
95 lines
2.4 KiB
Plaintext
# vim:syntax=apparmor
|
|
# Last Modified: Fri Jun 1 16:43:22 2007
|
|
#include <tunables/global>
|
|
|
|
profile named /usr/sbin/named flags=(attach_disconnected) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/nameservice>
|
|
|
|
capability net_bind_service,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_chroot,
|
|
capability sys_resource,
|
|
|
|
# /etc/bind should be read-only for bind
|
|
# /var/lib/bind is for dynamically updated zone (and journal) files.
|
|
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
|
|
# See /usr/share/doc/bind9/README.Debian.gz
|
|
/etc/bind/** r,
|
|
/var/lib/bind/** rw,
|
|
/var/lib/bind/ rw,
|
|
/var/cache/bind/** lrw,
|
|
/var/cache/bind/ rw,
|
|
|
|
# Database file used by allow-new-zones
|
|
/var/cache/bind/_default.nzd-lock rwk,
|
|
|
|
# gssapi
|
|
/etc/krb5.keytab kr,
|
|
/etc/bind/krb5.keytab kr,
|
|
|
|
# ssl
|
|
/etc/ssl/openssl.cnf r,
|
|
|
|
# root hints from dns-data-root
|
|
/usr/share/dns/root.* r,
|
|
|
|
# GeoIP data files for GeoIP ACLs
|
|
/usr/share/GeoIP/** r,
|
|
|
|
# dnscvsutil package
|
|
/var/lib/dnscvsutil/compiled/** rw,
|
|
|
|
# Allow changing worker thread names
|
|
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
|
|
|
@{PROC}/net/if_inet6 r,
|
|
@{PROC}/*/net/if_inet6 r,
|
|
@{PROC}/sys/net/ipv4/ip_local_port_range r,
|
|
/usr/sbin/named mr,
|
|
/{,var/}run/named/named.pid w,
|
|
/{,var/}run/named/session.key w,
|
|
# support for resolvconf
|
|
/{,var/}run/named/named.options r,
|
|
|
|
# some people like to put logs in /var/log/named/ instead of having
|
|
# syslog do the heavy lifting.
|
|
/var/log/named/** rw,
|
|
/var/log/named/ rw,
|
|
|
|
# gssapi
|
|
/var/lib/sss/pubconf/krb5.include.d/** r,
|
|
/var/lib/sss/pubconf/krb5.include.d/ r,
|
|
/var/lib/sss/mc/initgroups r,
|
|
/etc/gss/mech.d/ r,
|
|
|
|
# ldap
|
|
/etc/ldap/ldap.conf r,
|
|
/{,var/}run/slapd-*.socket rw,
|
|
|
|
# dynamic updates
|
|
/var/tmp/DNS_* rw,
|
|
|
|
# dyndb backends
|
|
/usr/lib/bind/*.so rm,
|
|
|
|
# Samba DLZ
|
|
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
|
|
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
|
|
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
|
|
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
|
|
/var/lib/samba/bind-dns/dns.keytab rk,
|
|
/var/lib/samba/bind-dns/named.conf r,
|
|
/var/lib/samba/bind-dns/dns/** rwk,
|
|
/var/lib/samba/private/dns.keytab rk,
|
|
/var/lib/samba/private/named.conf r,
|
|
/var/lib/samba/private/dns/** rwk,
|
|
/etc/samba/smb.conf r,
|
|
/dev/urandom rwmk,
|
|
owner /var/tmp/krb5_* rwk,
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/usr.sbin.named>
|
|
}
|