Listing 4 Part of named.te, the Type Enforcement file for BIND

    #################################
    #
    # Rules for the named_t domain.
    #
    type named_port_t, port_type;
    type rndc_port_t, port_type;

    daemon_domain(named)

    can_exec(named_t, named_exec_t)
    allow named_t sbin_t:dir search;
    allow named_t self:process setsched;

    # named configuration file types
    type named_conf_t, file_type, sysadmfile;
    type rndc_conf_t, file_type, sysadmfile;

    # master zone file types
    type named_zone_t, file_type, sysadmfile;

    # slave zone file types
    type named_cache_t, file_type, sysadmfile;

    # allow reading of files in /etc
    allow named_t etc_t:{ file lnk_file } { getattr read };
    allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
    allow named_t resolv_conf_t:file { getattr read };

    # Named can use network devices
    can_network(named_t)

    # allow UDP transfer to/from any program
    can_udp_send(domain, named_t)
    can_udp_send(named_t, domain)
    can_tcp_connect(domain, named_t)

    # Bind to the named port.
    allow named_t named_port_t:udp_socket name_bind;
    allow named_t { named_port_t rndc_port_t }:tcp_socket name_bind;

    # read configuration files
    r_dir_file(named_t, named_conf_t)

    # read/write dynamic zone files
    rw_dir_create_file(named_t, named_zone_t)
    allow named_t named_zone_t:file setattr;

    # write cache for secondary zones
    rw_dir_create_file(named_t, named_cache_t)

    # Read /proc/cpuinfo.
    allow named_t proc_t:dir r_dir_perms;
    allow named_t proc_t:file r_file_perms;

    # Read /dev/random.
    allow named_t device_t:dir r_dir_perms;
    allow named_t random_device_t:chr_file r_file_perms;