Re: Suitable type for DNSSEC private keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Göran Uddeborg wrote:
> I'm upgrading my DNS system to DNSSEC, and now I have public and
> private key files in /var/named.  They of course got the type
> named_zone_t which is the default in that directory.
> 
> For the public keys, that is appropriate.  The DNS server needs to
> read them, and they do contain zone data.
> 
> But it should not be able to read the private keys, and it can not
> because of MAC.  It seemed prudent to me to also give them another
> type, just in case.
> 
> But what type would be appropriate?  Just something generic like
> etc_t?  Or does it exist some more specific type that would be more
> appropriate.  I wasn't planning to add any extra policy modules or
> types just for this, only to add a fcontext pattern for these files.
> 
> Does anybody have any good suggestions?
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
/etc/rndc\.key	--	system_u:object_r:dnssec_t:s0
/var/named/chroot/etc/rndc\.key	--	system_u:object_r:dnssec_t:s0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmbF1QACgkQrlYvE4MpobMMWwCgo0SNmCYFpTner13YVimK/3aB
9aQAoJjGG7iao7/VccVdds+pl0gLG5jL
=O++K
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux