On Tue, 2009-02-17 at 20:37 +0100, Göran Uddeborg wrote:
I'm upgrading my DNS system to DNSSEC, and now I have public and
private key files in /var/named. They of course got the type
named_zone_t which is the default in that directory.
For the public keys, that is appropriate. The DNS server needs to
read them, and they do contain zone data.
But it should not be able to read the private keys, and it can not
because of MAC. It seemed prudent to me to also give them another
type, just in case.
But what type would be appropriate? Just something generic like
etc_t? Or does it exist some more specific type that would be more
appropriate. I wasn't planning to add any extra policy modules or
types just for this, only to add a fcontext pattern for these files.
Does anybody have any good suggestions?
I don't think there is an appropriate type defined in the existing
policy for a DNSSEC private key. The best option would be to add a
local policy module defining a distinct type exclusively for this
purpose e.g.:
$ cat mydnssec.te
policy_module(mydnssec, 1.0)
type mydnssec_private_t;
files_type(mydnssec_private_t)
$ cat mydnssec.fc
/var/named/K.*\.private -- gen_context(system_u:object_r:mydnssec_private_t,s0)
$ make -f /usr/share/selinux/devel/Makefile mydnssec.pp
$ sudo semodule -i mydnssec.pp
$ sudo restorecon -Rv /var/named
Then only domains with unconfined file access should be allowed to
access the file (which would include your login account unless you are
mapping your account to a confined user role).
--
Stephen Smalley
National Security Agency