On Tue, 2009-02-17 at 20:37 +0100, Göran Uddeborg wrote:
> I'm upgrading my DNS system to DNSSEC, and now I have public and
> private key files in /var/named. They of course got the type
> named_zone_t which is the default in that directory.
> For the public keys, that is appropriate. The DNS server needs to
> read them, and they do contain zone data.
> But it should not be able to read the private keys, and it can not
> because of MAC. It seemed prudent to me to also give them another
> type, just in case.
> But what type would be appropriate? Just something generic like
> etc_t? Or does it exist some more specific type that would be more
> appropriate. I wasn't planning to add any extra policy modules or
> types just for this, only to add a fcontext pattern for these files.
> Does anybody have any good suggestions?
I don't think there is an appropriate type defined in the existing
policy for a DNSSEC private key. The best option would be to add a
local policy module defining a distinct type exclusively for this
$ cat mydnssec.te
$ cat mydnssec.fc
/var/named/K.*.private -- gen_context(system_u
$ make -f /usr/share/selinux/devel/Makefile mydnssec.pp
$ sudo semodule -i mydnssec.pp
$ sudo restorecon -Rv /var/named
Then only domains with unconfined file access should be allowed to
access the file (which would include your login account unless you are
mapping your account to a confined user role).
National Security Agency
fedora-selinux-list mailing list