Suitable type for DNSSEC private keys
Stephen Smalley
sds at tycho.nsa.gov
Tue Feb 17 20:05:57 UTC 2009
On Tue, 2009-02-17 at 15:00 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Göran Uddeborg wrote:
> > I'm upgrading my DNS system to DNSSEC, and now I have public and
> > private key files in /var/named. They of course got the type
> > named_zone_t which is the default in that directory.
> >
> > For the public keys, that is appropriate. The DNS server needs to
> > read them, and they do contain zone data.
> >
> > But it should not be able to read the private keys, and it can not
> > because of MAC. It seemed prudent to me to also give them another
> > type, just in case.
> >
> > But what type would be appropriate? Just something generic like
> > etc_t? Or does it exist some more specific type that would be more
> > appropriate. I wasn't planning to add any extra policy modules or
> > types just for this, only to add a fcontext pattern for these files.
> >
> > Does anybody have any good suggestions?
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
> /etc/rndc\.key -- system_u:object_r:dnssec_t:s0
> /var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
That's readable by named_t.
Why are you putting the private key in /var/named at all? Why is it
even on the public server?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list