On Fri, 2006-06-30 at 16:15 -0400, Faisal Ali wrote: > Yes, exactly to run named in different SELinux domains. Iam glad its doable, > do you mean use the canned policy for one named and create a new one for > another named process. Can you point me to any read on the web that can help > in doing this. Can't think of any offhand. The approach I'd take would be to get the SELinux SRPM and "prep" it to get all the patches applied, then find the bind policy module and make a copy of it, and then edit all of the named_* types to have another name (e.g. other_named_*). Change the file contexts to refer to the locations and new type names you're using, then try building and loading the new module and see how it goes. Of course, I'd get the two-daemon thing working without SELinux (or with the same policy for each) first. > I guess its more of comfort level thing, I know BIND9 is quite secure and I > have'nt heard of any hacks. But if it happens then hacker can have > visibility to internal hosts information. True, but is that such a big deal? It might give a clue to where to start looking for targets but if they can get into your network they could probably figure that out anyway by portscanning. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
