update bind policy to cover unbound on Debian 8.x

policy/modules/bind.fc

@@ -13,6 +13,7 @@
 /etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/var/lib/unbound.*\.key --      gen_context(system_u:object_r:dnssec_t,s0)
 
 /lib/systemd/system/unbound.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
 /lib/systemd/system/named.*\.service -- gen_context(system_u:object_r:named_unit_file_t,s0)

policy/modules/bind.te

@@ -1,4 +1,4 @@
-policy_module(bind, 1.14.1)
+policy_module(bind, 1.14.6)
 
 ########################################
 #
@@ -83,6 +83,12 @@ allow named_t self:tcp_socket { accept listen };
 
 allow named_t dnssec_t:file read_file_perms;
 
+gen_require(`
+	type var_lib_t;
+	type initrc_t;
+')
+type_transition initrc_t var_lib_t:file dnssec_t;
+
 allow named_t named_conf_t:dir list_dir_perms;
 read_files_pattern(named_t, named_conf_t, named_conf_t)
 read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
@@ -127,6 +133,7 @@ corenet_tcp_sendrecv_generic_node(named_t)
 corenet_udp_sendrecv_generic_node(named_t)
 corenet_tcp_bind_generic_node(named_t)
 corenet_udp_bind_generic_node(named_t)
+corenet_tcp_bind_all_unreserved_ports(named_t)
 
 corenet_sendrecv_all_server_packets(named_t)
 corenet_tcp_bind_dns_port(named_t)