Package: bind9utils Version: 9.5.0.dfsg.P2-4 Severity: normal When running on a SE Linux system the file /etc/bind/rndc.key is created with the security context unconfined_u:object_r:named_zone_t, the correct context is system_u:object_r:dnssec_t.
There are several potential solutions to this problem. The easiest might be to use a different directory for such files. The directory in question could have the SE Linux type dnssec_t which would be inherited by all files created in it - and even if files were mislabeled the directory access controls would prevent access. The directory name /etc/bind/dnssec would be suitable for all DNSSEC security related files (which includes the key for local sysadmin communication). Another option is to have the rndc-confgen program check whether SE Linux is enabled and inform the kernel of the correct context for the file to be created. I would be happy to contribute code for this, but I suspect that it won't be the desired solution. Finally, to give desired functionality (IE have current systems work), it would be good to have the file in question relabelled after it is created, something like the following in the bind9.postinst file in the section that creates the /etc/bind/rndc.key file would do: test ! -x /sbin/restorecon || /sbin/restorecon /etc/bind/rndc.key -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
