-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Göran Uddeborg wrote: > I'm upgrading my DNS system to DNSSEC, and now I have public and > private key files in /var/named. They of course got the type > named_zone_t which is the default in that directory. > > For the public keys, that is appropriate. The DNS server needs to > read them, and they do contain zone data. > > But it should not be able to read the private keys, and it can not > because of MAC. It seemed prudent to me to also give them another > type, just in case. > > But what type would be appropriate? Just something generic like > etc_t? Or does it exist some more specific type that would be more > appropriate. I wasn't planning to add any extra policy modules or > types just for this, only to add a fcontext pattern for these files. > > Does anybody have any good suggestions? > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list grep dnssec /etc/selinux/targeted/contexts/files/file_contexts /etc/rndc\.key -- system_u:object_r:dnssec_t:s0 /var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmbF1QACgkQrlYvE4MpobMMWwCgo0SNmCYFpTner13YVimK/3aB 9aQAoJjGG7iao7/VccVdds+pl0gLG5jL =O++K -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
