Re: Suitable type for DNSSEC private keys

[Stephen Smalley <sds tycho nsa gov>]

On Tue, 2009-02-17 at 20:37 +0100, Göran Uddeborg wrote:
> I'm upgrading my DNS system to DNSSEC, and now I have public and
> private key files in /var/named.  They of course got the type
> named_zone_t which is the default in that directory.
> 
> For the public keys, that is appropriate.  The DNS server needs to
> read them, and they do contain zone data.
> 
> But it should not be able to read the private keys, and it can not
> because of MAC.  It seemed prudent to me to also give them another
> type, just in case.
> 
> But what type would be appropriate?  Just something generic like
> etc_t?  Or does it exist some more specific type that would be more
> appropriate.  I wasn't planning to add any extra policy modules or
> types just for this, only to add a fcontext pattern for these files.
> 
> Does anybody have any good suggestions?

I don't think there is an appropriate type defined in the existing
policy for a DNSSEC private key.  The best option would be to add a
local policy module defining a distinct type exclusively for this
purpose e.g.:

$ cat mydnssec.te
policy_module(mydnssec, 1.0)
type mydnssec_private_t;
files_type(mydnssec_private_t)

$ cat mydnssec.fc
/var/named/K.*\.private	-- gen_context(system_u:object_r:mydnssec_private_t,s0)

$ make -f /usr/share/selinux/devel/Makefile mydnssec.pp
$ sudo semodule -i mydnssec.pp
$ sudo restorecon -Rv /var/named

Then only domains with unconfined file access should be allowed to
access the file (which would include your login account unless you are
mapping your account to a confined user role).

-- 
Stephen Smalley
National Security Agency