On Fri, 2006-06-30 at 16:15 -0400, Faisal Ali wrote:
Yes, exactly to run named in different SELinux domains. Iam glad its
do you mean use the canned policy for one named and create a new one for
another named process. Can you point me to any read on the web that can help
in doing this.
Can't think of any offhand. The approach I'd take would be to get the
SELinux SRPM and "prep" it to get all the patches applied, then find the
bind policy module and make a copy of it, and then edit all of the
named_* types to have another name (e.g. other_named_*). Change the file
contexts to refer to the locations and new type names you're using, then
try building and loading the new module and see how it goes.
Of course, I'd get the two-daemon thing working without SELinux (or with
the same policy for each) first.
I guess its more of comfort level thing, I know BIND9 is quite secure
have'nt heard of any hacks. But if it happens then hacker can have
visibility to internal hosts information.
True, but is that such a big deal? It might give a clue to where to
start looking for targets but if they can get into your network they
could probably figure that out anyway by portscanning.