[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Suitable type for DNSSEC private keys
- From: Daniel J Walsh <dwalsh redhat com>
- To: Göran Uddeborg <goeran uddeborg se>
- Cc: fedora-selinux-list redhat com
- Subject: Re: Suitable type for DNSSEC private keys
- Date: Tue, 17 Feb 2009 15:00:20 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Göran Uddeborg wrote:
> I'm upgrading my DNS system to DNSSEC, and now I have public and
> private key files in /var/named. They of course got the type
> named_zone_t which is the default in that directory.
>
> For the public keys, that is appropriate. The DNS server needs to
> read them, and they do contain zone data.
>
> But it should not be able to read the private keys, and it can not
> because of MAC. It seemed prudent to me to also give them another
> type, just in case.
>
> But what type would be appropriate? Just something generic like
> etc_t? Or does it exist some more specific type that would be more
> appropriate. I wasn't planning to add any extra policy modules or
> types just for this, only to add a fcontext pattern for these files.
>
> Does anybody have any good suggestions?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
/var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmbF1QACgkQrlYvE4MpobMMWwCgo0SNmCYFpTner13YVimK/3aB
9aQAoJjGG7iao7/VccVdds+pl0gLG5jL
=O++K
-----END PGP SIGNATURE-----
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]