On Tue, 2009-02-17 at 20:37 +0100, Göran Uddeborg wrote:
I'm upgrading my DNS system to DNSSEC, and now I have public and private key files in /var/named. They of course got the type named_zone_t which is the default in that directory.
For the public keys, that is appropriate. The DNS server needs to read them, and they do contain zone data.
But it should not be able to read the private keys, and it can not because of MAC. It seemed prudent to me to also give them another type, just in case.
But what type would be appropriate? Just something generic like etc_t? Or does it exist some more specific type that would be more appropriate. I wasn't planning to add any extra policy modules or types just for this, only to add a fcontext pattern for these files.
Does anybody have any good suggestions?
I don't think there is an appropriate type defined in the existing policy for a DNSSEC private key. The best option would be to add a local policy module defining a distinct type exclusively for this purpose e.g.:
$ cat mydnssec.te policy_module(mydnssec, 1.0) type mydnssec_private_t; files_type(mydnssec_private_t)
$ cat mydnssec.fc /var/named/K.*.private -- gen_context(system_u:object_r:mydnssec_private_t,s0)
$ make -f /usr/share/selinux/devel/Makefile mydnssec.pp $ sudo semodule -i mydnssec.pp $ sudo restorecon -Rv /var/named
Then only domains with unconfined file access should be allowed to access the file (which would include your login account unless you are mapping your account to a confined user role).