Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
17.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with BIND. Different types allow you to configure flexible access:
named_zone_t
- Used for master zone files. Other services cannot modify files of this type. The
named
daemon can only modify files of this type if thenamed_write_master_zones
Boolean is enabled. named_cache_t
- By default,
named
can write to files labeled with this type, without additional Booleans being set. Files copied or created in the/var/named/slaves/
,/var/named/dynamic/
and/var/named/data/
directories are automatically labeled with thenamed_cache_t
type. named_var_run_t
- Files copied or created in the
/var/run/bind/
,/var/run/named/
, and/var/run/unbound/
directories are automatically labeled with thenamed_var_run_t
type. named_conf_t
- BIND-related configuration files, usually stored in the
/etc
directory, are automatically labeled with thenamed_conf_t
type. named_exec_t
- BIND-related executable files, usually stored in the
/usr/sbin/
directory, are automatically labeled with thenamed_exec_t
type. named_log_t
- BIND-related log files, usually stored in the
/var/log/
directory, are automatically labeled with thenamed_log_t
type. named_unit_file_t
- Executable BIND-related files in the
/usr/lib/systemd/system/
directory are automatically labeled with thenamed_unit_file_t
type.