6.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with BIND. Different types allow you to configure flexible access:
named_zone_t
- Used for master zone files. Other services cannot modify files of this type.
named
can only modify files of this type if thenamed_write_master_zones
Boolean is enabled. named_cache_t
- By default,
named
can write to files labeled with this type, without additional Booleans being set. Files copied or created in the/var/named/slaves/
,/var/named/dynamic/
and/var/named/data/
directories are automatically labeled with thenamed_cache_t
type. named_var_run_t
- Files copied or created in the
/var/run/bind/
,/var/run/named/
, and/var/run/unbound/
directories are automatically labeled with thenamed_var_run_t
type. named_conf_t
- BIND-related configuration files, usually stored in the
/etc/
directory, are automatically labeled with thenamed_conf_t
type. named_exec_t
- BIND-related executable files, usually stored in the
/usr/sbin/
directory, are automatically labeled with thenamed_exec_t
type. named_log_t
- BIND-related log files, usually stored in the
/var/log/
directory, are automatically labeled with thenamed_log_t
type. named_initrc_exec_t
- Executable BIND-related files in the
/etc/rc.d/init.d/
directory are automatically labeled with thenamed_initrc_exec_t
type.