The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with BIND. Different types allow you to configure flexible access:
- Used for master zone files. Other services cannot modify files of this type.
namedcan only modify files of this type if the
named_write_master_zonesBoolean is enabled.
- By default,
namedcan write to files labeled with this type, without additional Booleans being set. Files copied or created in the
/var/named/data/directories are automatically labeled with the
- Files copied or created in the
/var/run/unbound/directories are automatically labeled with the
- BIND-related configuration files, usually stored in the
/etc/directory, are automatically labeled with the
- BIND-related executable files, usually stored in the
/usr/sbin/directory, are automatically labeled with the
- BIND-related log files, usually stored in the
/var/log/directory, are automatically labeled with the
- Executable BIND-related files in the
/etc/rc.d/init.d/directory are automatically labeled with the