Re: Suitable type for DNSSEC private keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2009-02-17 at 15:00 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Göran Uddeborg wrote:
> > I'm upgrading my DNS system to DNSSEC, and now I have public and
> > private key files in /var/named.  They of course got the type
> > named_zone_t which is the default in that directory.
> > 
> > For the public keys, that is appropriate.  The DNS server needs to
> > read them, and they do contain zone data.
> > 
> > But it should not be able to read the private keys, and it can not
> > because of MAC.  It seemed prudent to me to also give them another
> > type, just in case.
> > 
> > But what type would be appropriate?  Just something generic like
> > etc_t?  Or does it exist some more specific type that would be more
> > appropriate.  I wasn't planning to add any extra policy modules or
> > types just for this, only to add a fcontext pattern for these files.
> > 
> > Does anybody have any good suggestions?
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
> grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
> /etc/rndc\.key	--	system_u:object_r:dnssec_t:s0
> /var/named/chroot/etc/rndc\.key	--	system_u:object_r:dnssec_t:s0

That's readable by named_t.

Why are you putting the private key in /var/named at all?  Why is it
even on the public server?

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux