cmouse/gist:8470314

## gistfile1.txt
policy_module(pdns,0.9.5)

require{
        type named_t;
        type named_cache_t;
        type named_conf_t;
        type named_var_run_t;
        type ndc_t;
        type tmp_t;
        class file { getattr unlink append read setattr write lock create rename link open };
        class sock_file { create read write unlink setattr getattr };
        class dir { add_name write read remove_name };
}

#only needed if using the guardian
allow named_t self:capability { kill };

#gmysql backend:
mysql_read_config(named_t)
files_read_usr_files(named_t)
mysql_stream_connect(named_t)

#postgres backend:
postgresql_stream_connect(named_t)

#bind backend:
allow named_t named_cache_t:file { getattr unlink append read setattr write lock create rename link open };
allow named_t named_cache_t:dir { add_name write read remove_name };
allow named_t named_conf_t:file { read open };
allow named_t named_var_run_t:file { getattr unlink append read setattr write lock create rename link open };

# other stuff
allow named_t var_run_t:sock_file { create read write unlink setattr getattr };
allow ndc_t tmp_t:sock_file { create read write unlink setattr getattr };
allow ndc_t tmp_t:file {getattr unlink append read setattr write lock create rename link open };
allow ndc_t tmp_t:dir { add_name write read remove_name };
allow ndc_t var_run_t:sock_file { create read write unlink };
allow ndc_t named_conf_t:file { read open };
	policy_module(pdns,0.9.5)

	require{
	type named_t;
	type named_cache_t;
	type named_conf_t;
	type named_var_run_t;
	type ndc_t;
	type tmp_t;
	class file { getattr unlink append read setattr write lock create rename link open };
	class sock_file { create read write unlink setattr getattr };
	class dir { add_name write read remove_name };
	}

	#only needed if using the guardian
	allow named_t self:capability { kill };

	#gmysql backend:
	mysql_read_config(named_t)
	files_read_usr_files(named_t)
	mysql_stream_connect(named_t)

	#postgres backend:
	postgresql_stream_connect(named_t)

	#bind backend:
	allow named_t named_cache_t:file { getattr unlink append read setattr write lock create rename link open };
	allow named_t named_cache_t:dir { add_name write read remove_name };
	allow named_t named_conf_t:file { read open };
	allow named_t named_var_run_t:file { getattr unlink append read setattr write lock create rename link open };

	# other stuff
	allow named_t var_run_t:sock_file { create read write unlink setattr getattr };
	allow ndc_t tmp_t:sock_file { create read write unlink setattr getattr };
	allow ndc_t tmp_t:file {getattr unlink append read setattr write lock create rename link open };
	allow ndc_t tmp_t:dir { add_name write read remove_name };
	allow ndc_t var_run_t:sock_file { create read write unlink };
	allow ndc_t named_conf_t:file { read open };