[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: BIND less restrictive modes and policy



On Mon, Jan 21, 2008 at 04:13:14AM -0800, Andrew Farris wrote:
> Adam Tkac wrote:
>> Hi all,
>>
>> I'm going to do major revision of bind's file modes. Currenly We have
>> many files readable only by root and I can't see any reason why keep
>> binaries unreadable and unexecutable by other users. Also there isn't
>> any reason why keep configuration private. Only this files should not
>> be readable by other users:
>> - /etc/rndc.key - who has it may control server through rndc utility
>> - /var/log/named.log - will have sensitive information
>>
>> All other will be readable for all. Also complete /var/named/* subtree
>> will be writable by named (for generating core files, DDNS updates,
>> secondary servers, generally for easier configuration).
>>
>> Has anyone arguments against such change?
>>
>> Regards, Adam
>
> Just a comment, that probably needs to accompany selinux policy adjustments 
> (or rather, without change in policy other users won't have access even 
> with mode changes)?
>

Definitely. SELinux policy will be changed appropriately.

Adam

-- 
Adam Tkac, Red Hat, Inc.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]