-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Göran Uddeborg wrote:
I'm upgrading my DNS system to DNSSEC, and now I have public and
private key files in /var/named. They of course got the type
named_zone_t which is the default in that directory.
For the public keys, that is appropriate. The DNS server needs to
read them, and they do contain zone data.
But it should not be able to read the private keys, and it can not
because of MAC. It seemed prudent to me to also give them another
type, just in case.
But what type would be appropriate? Just something generic like
etc_t? Or does it exist some more specific type that would be more
appropriate. I wasn't planning to add any extra policy modules or
types just for this, only to add a fcontext pattern for these files.
Does anybody have any good suggestions?
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
grep dnssec /etc/selinux/targeted/contexts/files/file_contexts
/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
/var/named/chroot/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkmbF1QACgkQrlYvE4MpobMMWwCgo0SNmCYFpTner13YVimK/3aB
9aQAoJjGG7iao7/VccVdds+pl0gLG5jL
=O++K
-----END PGP SIGNATURE-----