summaryrefslogtreecommitdiffstats
path: root/debian/extras/apparmor.d/usr.sbin.named
diff options
context:
space:
mode:
Diffstat (limited to 'debian/extras/apparmor.d/usr.sbin.named')
-rw-r--r--debian/extras/apparmor.d/usr.sbin.named101
1 files changed, 101 insertions, 0 deletions
diff --git a/debian/extras/apparmor.d/usr.sbin.named b/debian/extras/apparmor.d/usr.sbin.named
new file mode 100644
index 0000000..f572f4d
--- /dev/null
+++ b/debian/extras/apparmor.d/usr.sbin.named
@@ -0,0 +1,101 @@
+# vim:syntax=apparmor
+# Last Modified: Fri Jun 1 16:43:22 2007
+#include <tunables/global>
+
+profile named /usr/sbin/named flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_chroot,
+ capability sys_resource,
+
+ # /etc/bind should be read-only for bind
+ # /var/lib/bind is for dynamically updated zone (and journal) files.
+ # /var/cache/bind is for slave/stub data, since we're not the origin of it.
+ # See /usr/share/doc/bind9/README.Debian.gz
+ /etc/bind/** r,
+ /var/lib/bind/** rw,
+ /var/lib/bind/ rw,
+ /var/cache/bind/** lrw,
+ /var/cache/bind/ rw,
+
+ # Database file used by allow-new-zones
+ /var/cache/bind/_default.nzd-lock rwk,
+
+ # gssapi
+ /etc/krb5.keytab kr,
+ /etc/bind/krb5.keytab kr,
+
+ # ssl
+ /etc/ssl/*.cnf r,
+ /etc/ssl/*.conf r,
+
+ # root hints from dns-data-root
+ /usr/share/dns/root.* r,
+
+ # GeoIP data files for GeoIP ACLs
+ /usr/share/GeoIP/** r,
+
+ # dnscvsutil package
+ /var/lib/dnscvsutil/compiled/** rw,
+
+ # Allow changing worker thread names
+ owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+ # named need to check if hugepages is available
+ /sys/kernel/mm/transparent_hugepage/enabled r,
+
+ @{PROC}/net/if_inet6 r,
+ @{PROC}/*/net/if_inet6 r,
+ @{PROC}/sys/net/ipv4/ip_local_port_range r,
+ /usr/sbin/named mr,
+ /{,var/}run/named/named.pid w,
+ /{,var/}run/named/session.key w,
+ # support for resolvconf
+ /{,var/}run/named/named.options r,
+
+ # some people like to put logs in /var/log/named/ instead of having
+ # syslog do the heavy lifting.
+ /var/log/named/** rw,
+ /var/log/named/ rw,
+
+ # gssapi
+ /var/lib/sss/pubconf/krb5.include.d/** r,
+ /var/lib/sss/pubconf/krb5.include.d/ r,
+ /var/lib/sss/mc/initgroups r,
+ /etc/gss/mech.d/ r,
+
+ # ldap
+ /etc/ldap/ldap.conf r,
+ /{,var/}run/slapd-*.socket rw,
+
+ # dynamic updates
+ /var/tmp/DNS_* rw,
+
+ # dyndb backends
+ /usr/lib/bind/*.so rm,
+
+ # Samba DLZ
+ /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
+ /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
+ /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
+ /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
+ /var/lib/samba/bind-dns/dns.keytab rk,
+ /var/lib/samba/bind-dns/named.conf r,
+ /var/lib/samba/bind-dns/dns/** rwk,
+ /var/lib/samba/private/dns.keytab rk,
+ /var/lib/samba/private/named.conf r,
+ /var/lib/samba/private/dns/** rwk,
+ /etc/samba/smb.conf r,
+ /dev/urandom rwmk,
+ owner /var/tmp/krb5_* rwk,
+
+ # systemd sd_notify
+ /run/systemd/notify w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.named>
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-06 20:20:15 +0000