BIND less restrictive modes and policy
Adam Tkac
atkac at redhat.com
Mon Jan 21 12:15:23 UTC 2008
On Mon, Jan 21, 2008 at 04:13:14AM -0800, Andrew Farris wrote:
> Adam Tkac wrote:
>> Hi all,
>>
>> I'm going to do major revision of bind's file modes. Currenly We have
>> many files readable only by root and I can't see any reason why keep
>> binaries unreadable and unexecutable by other users. Also there isn't
>> any reason why keep configuration private. Only this files should not
>> be readable by other users:
>> - /etc/rndc.key - who has it may control server through rndc utility
>> - /var/log/named.log - will have sensitive information
>>
>> All other will be readable for all. Also complete /var/named/* subtree
>> will be writable by named (for generating core files, DDNS updates,
>> secondary servers, generally for easier configuration).
>>
>> Has anyone arguments against such change?
>>
>> Regards, Adam
>
> Just a comment, that probably needs to accompany selinux policy adjustments
> (or rather, without change in policy other users won't have access even
> with mode changes)?
>
Definitely. SELinux policy will be changed appropriately.
Adam
--
Adam Tkac, Red Hat, Inc.
More information about the devel
mailing list