On Tue, 2009-02-17 at 15:00 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Göran Uddeborg wrote: > > I'm upgrading my DNS system to DNSSEC, and now I have public and > > private key files in /var/named. They of course got the type > > named_zone_t which is the default in that directory. > > > > For the public keys, that is appropriate. The DNS server needs to > > read them, and they do contain zone data. > > > > But it should not be able to read the private keys, and it can not > > because of MAC. It seemed prudent to me to also give them another > > type, just in case. > > > > But what type would be appropriate? Just something generic like > > etc_t? Or does it exist some more specific type that would be more > > appropriate. I wasn't planning to add any extra policy modules or > > types just for this, only to add a fcontext pattern for these files. > > > > Does anybody have any good suggestions? > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list@xxxxxxxxxx > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > grep dnssec /etc/selinux/targeted/contexts/files/file_contexts > /etc/rndc\.key -- system_u:object_r:dnssec_t:s0 > /var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0 That's readable by named_t. Why are you putting the private key in /var/named at all? Why is it even on the public server? -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
