[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Suitable type for DNSSEC private keys
- From: Stephen Smalley <sds tycho nsa gov>
- To: Daniel J Walsh <dwalsh redhat com>
- Cc: fedora-selinux-list redhat com
- Subject: Re: Suitable type for DNSSEC private keys
- Date: Tue, 17 Feb 2009 15:05:57 -0500
On Tue, 2009-02-17 at 15:00 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Göran Uddeborg wrote:
> > I'm upgrading my DNS system to DNSSEC, and now I have public and
> > private key files in /var/named. They of course got the type
> > named_zone_t which is the default in that directory.
> >
> > For the public keys, that is appropriate. The DNS server needs to
> > read them, and they do contain zone data.
> >
> > But it should not be able to read the private keys, and it can not
> > because of MAC. It seemed prudent to me to also give them another
> > type, just in case.
> >
> > But what type would be appropriate? Just something generic like
> > etc_t? Or does it exist some more specific type that would be more
> > appropriate. I wasn't planning to add any extra policy modules or
> > types just for this, only to add a fcontext pattern for these files.
> >
> > Does anybody have any good suggestions?
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list redhat com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
> /etc/rndc\.key -- system_u:object_r:dnssec_t:s0
> /var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
That's readable by named_t.
Why are you putting the private key in /var/named at all? Why is it
even on the public server?
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]