Running two named processes in selinux
Paul Howarth
paul at city-fan.org
Fri Jun 30 20:39:53 UTC 2006
On Fri, 2006-06-30 at 16:15 -0400, Faisal Ali wrote:
> Yes, exactly to run named in different SELinux domains. Iam glad its doable,
> do you mean use the canned policy for one named and create a new one for
> another named process. Can you point me to any read on the web that can help
> in doing this.
Can't think of any offhand. The approach I'd take would be to get the
SELinux SRPM and "prep" it to get all the patches applied, then find the
bind policy module and make a copy of it, and then edit all of the
named_* types to have another name (e.g. other_named_*). Change the file
contexts to refer to the locations and new type names you're using, then
try building and loading the new module and see how it goes.
Of course, I'd get the two-daemon thing working without SELinux (or with
the same policy for each) first.
> I guess its more of comfort level thing, I know BIND9 is quite secure and I
> have'nt heard of any hacks. But if it happens then hacker can have
> visibility to internal hosts information.
True, but is that such a big deal? It might give a clue to where to
start looking for targets but if they can get into your network they
could probably figure that out anyway by portscanning.
Paul.
More information about the fedora-selinux-list
mailing list