Suitable type for DNSSEC private keys
Stephen Smalley
sds at tycho.nsa.gov
Wed Feb 18 16:13:56 UTC 2009
On Tue, 2009-02-17 at 20:37 +0100, Göran Uddeborg wrote:
> I'm upgrading my DNS system to DNSSEC, and now I have public and
> private key files in /var/named. They of course got the type
> named_zone_t which is the default in that directory.
>
> For the public keys, that is appropriate. The DNS server needs to
> read them, and they do contain zone data.
>
> But it should not be able to read the private keys, and it can not
> because of MAC. It seemed prudent to me to also give them another
> type, just in case.
>
> But what type would be appropriate? Just something generic like
> etc_t? Or does it exist some more specific type that would be more
> appropriate. I wasn't planning to add any extra policy modules or
> types just for this, only to add a fcontext pattern for these files.
>
> Does anybody have any good suggestions?
I don't think there is an appropriate type defined in the existing
policy for a DNSSEC private key. The best option would be to add a
local policy module defining a distinct type exclusively for this
purpose e.g.:
$ cat mydnssec.te
policy_module(mydnssec, 1.0)
type mydnssec_private_t;
files_type(mydnssec_private_t)
$ cat mydnssec.fc
/var/named/K.*\.private -- gen_context(system_u:object_r:mydnssec_private_t,s0)
$ make -f /usr/share/selinux/devel/Makefile mydnssec.pp
$ sudo semodule -i mydnssec.pp
$ sudo restorecon -Rv /var/named
Then only domains with unconfined file access should be allowed to
access the file (which would include your login account unless you are
mapping your account to a confined user role).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list