#include <tunables/global> /usr/sbin/kresd { #include <abstractions/base> #include <abstractions/p11-kit> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, # seems to be needed during start to read /var/lib/knot-resolver # while we still run as root. capability dac_override, network tcp, network udp, /proc/sys/net/core/somaxconn r, /etc/knot-resolver/* r, /var/lib/knot-resolver/ r, /var/lib/knot-resolver/** rwlk, # modules /usr/lib{,64}/kdns_modules/*.lua r, /usr/lib{,64}/kdns_modules/*.so rm, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.kresd> }