# Policy for named that uses named user and chroots to /var/named
# This policy works for the default configuration of named.
Policy: /usr/sbin/named, Emulation: native
-------------------------
native-accept: permit
-------------------------
native-bind: sockaddr match "inet-*:53" then permit
-------------------------
native-chdir: filename eq "/" then permit
native-chdir: filename eq "/namedb" then permit
-------------------------
native-chroot: filename eq "/var/named" then permit
-------------------------
native-connect: sockaddr eq "/dev/log" then permit
-------------------------
native-fsread: filename eq "/" then permit
native-fsread: filename eq "/dev/arandom" then permit
native-fsread: filename eq "/etc/group" then permit
-------------------------
filename sub "<non-existent filename>" then deny[enoent]
-------------------------
native-bind: sockaddr match "inet-*:53" then permit log
-------------------------
native-setgid: gid eq "70" then permit
