Suitable type for DNSSEC private keys
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 17 20:00:20 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Göran Uddeborg wrote:
> I'm upgrading my DNS system to DNSSEC, and now I have public and
> private key files in /var/named. They of course got the type
> named_zone_t which is the default in that directory.
>
> For the public keys, that is appropriate. The DNS server needs to
> read them, and they do contain zone data.
>
> But it should not be able to read the private keys, and it can not
> because of MAC. It seemed prudent to me to also give them another
> type, just in case.
>
> But what type would be appropriate? Just something generic like
> etc_t? Or does it exist some more specific type that would be more
> appropriate. I wasn't planning to add any extra policy modules or
> types just for this, only to add a fcontext pattern for these files.
>
> Does anybody have any good suggestions?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
/var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmbF1QACgkQrlYvE4MpobMMWwCgo0SNmCYFpTner13YVimK/3aB
9aQAoJjGG7iao7/VccVdds+pl0gLG5jL
=O++K
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list