17.2. Types

The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with BIND. Different types allow you to configure flexible access:
named_zone_t
Used for master zone files. Other services cannot modify files of this type. The named daemon can only modify files of this type if the named_write_master_zones Boolean is enabled.
named_cache_t
By default, named can write to files labeled with this type, without additional Booleans being set. Files copied or created in the /var/named/slaves/,/var/named/dynamic/ and /var/named/data/ directories are automatically labeled with the named_cache_t type.
named_var_run_t
Files copied or created in the /var/run/bind/, /var/run/named/, and /var/run/unbound/ directories are automatically labeled with the named_var_run_t type.
named_conf_t
BIND-related configuration files, usually stored in the /etc directory, are automatically labeled with the named_conf_t type.
named_exec_t
BIND-related executable files, usually stored in the /usr/sbin/ directory, are automatically labeled with the named_exec_t type.
named_log_t
BIND-related log files, usually stored in the /var/log/ directory, are automatically labeled with the named_log_t type.
named_unit_file_t
Executable BIND-related files in the /usr/lib/systemd/system/ directory are automatically labeled with the named_unit_file_t type.