On Tue, 2009-02-17 at 20:37 +0100, Göran Uddeborg wrote: > I'm upgrading my DNS system to DNSSEC, and now I have public and > private key files in /var/named. They of course got the type > named_zone_t which is the default in that directory. > > For the public keys, that is appropriate. The DNS server needs to > read them, and they do contain zone data. > > But it should not be able to read the private keys, and it can not > because of MAC. It seemed prudent to me to also give them another > type, just in case. > > But what type would be appropriate? Just something generic like > etc_t? Or does it exist some more specific type that would be more > appropriate. I wasn't planning to add any extra policy modules or > types just for this, only to add a fcontext pattern for these files. > > Does anybody have any good suggestions? I don't think there is an appropriate type defined in the existing policy for a DNSSEC private key. The best option would be to add a local policy module defining a distinct type exclusively for this purpose e.g.: $ cat mydnssec.te policy_module(mydnssec, 1.0) type mydnssec_private_t; files_type(mydnssec_private_t) $ cat mydnssec.fc /var/named/K.*\.private -- gen_context(system_u:object_r:mydnssec_private_t,s0) $ make -f /usr/share/selinux/devel/Makefile mydnssec.pp $ sudo semodule -i mydnssec.pp $ sudo restorecon -Rv /var/named Then only domains with unconfined file access should be allowed to access the file (which would include your login account unless you are mapping your account to a confined user role). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
