2009-02-18 15:35:27

by Stephen Smalley

[permalink] [raw]
Subject: [refpolicy] dnssec_t

A question recently came up over on fedora-selinux-list on what type to
assign to the DNSSEC private key file to make it unreadable by the DNS
server. There is a dnssec_t type defined in bind.te, but:
a) it is assigned to /etc/rndc.key, which is not the same thing, and
b) it is readable by named_t and by ndc_t.

So a few questions:
1) Should we be using a differently-named type for /etc/rndc.key that is
closer to its actual purpose (TSIG key for authenticating commands
between rndc and named)?

2) Do we need a new type for use for DNSSEC private key files that is
unreadable by all domains other than unconfined and admin domains?

3) Should we have a distinct type for DNSSEC public key files?

I'm not sure who added dnssec_t in the first place.

--
Stephen Smalley
National Security Agency


2009-02-18 20:57:01

by cpebenito

[permalink] [raw]
Subject: [refpolicy] dnssec_t

On Wed, 2009-02-18 at 10:35 -0500, Stephen Smalley wrote:
> A question recently came up over on fedora-selinux-list on what type to
> assign to the DNSSEC private key file to make it unreadable by the DNS
> server. There is a dnssec_t type defined in bind.te, but:
> a) it is assigned to /etc/rndc.key, which is not the same thing, and
> b) it is readable by named_t and by ndc_t.

I'd have to look some more into DNSSEC to be sure, but my knee-jerk
reaction is:

> So a few questions:
> 1) Should we be using a differently-named type for /etc/rndc.key that is
> closer to its actual purpose (TSIG key for authenticating commands
> between rndc and named)?

I'd say yes.

> 2) Do we need a new type for use for DNSSEC private key files that is
> unreadable by all domains other than unconfined and admin domains?

An alternative might be no_access_t, but I'm not so sure I like that.

> 3) Should we have a distinct type for DNSSEC public key files?

Not sure.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150