# DESC nsd - Name Server Daemon
#
# Author:  Paul Dwerryhouse <paul@dwerryhouse.com.au>

daemon_domain(nsd, `, nscd_client_domain')

type nsd_conf_t, file_type, sysadmfile;
type nsd_zone_t, file_type, sysadmfile;
type nsd_db_t, file_type, sysadmfile;

can_exec(nsd_t, { nsd_exec_t bin_t } )

can_network(nsd_t)

create_dir_file(nsd_t,nsd_zone_t)

can_udp_send(domain, nsd_t)
can_udp_send(nsd_t, domain)
can_tcp_connect(domain, nsd_t)

allow nsd_t dns_port_t:udp_socket name_bind;
allow nsd_t dns_port_t:tcp_socket name_bind;

allow nsd_t etc_t:file { getattr read };
allow nsd_t nsd_conf_t:dir { add_name remove_name search write};
allow nsd_t nsd_conf_t:file { create read write getattr setattr unlink};
allow nsd_t nsd_db_t:file { getattr read };
allow nsd_t self:capability { dac_override chown net_bind_service setgid setuid };
allow nsd_t self:unix_dgram_socket { connect create read write };
allow nsd_t self:unix_stream_socket { connect create read write };

allow nsd_t nsd_conf_t:dir { getattr read };
allow nsd_t nsd_conf_t:file { execute ioctl link rename };

allow nsd_t var_lib_t:dir search;

allow nsd_t dns_port_t:tcp_socket name_connect;

allow nsd_t sbin_t:dir search;
allow nsd_t bin_t:dir search;

allow nsd_t bin_t:lnk_file read;
allow nsd_t self:file read;
allow nsd_t self:fifo_file { getattr ioctl read write };