Red Hat Bugzilla – Bug 473391
[Patch] SELinux protection for unbound daemon
Last modified: 2013-04-30 19:42:04 EDT
Description of problem:
unbound daemon is new DNS resolver and it lacks SELinux protection. I've created proposed policy. Would it be possible put it to rawhide selinux-policy, please?
Created attachment 324951 [details]
Created attachment 324952 [details]
Would it be better to just add it to the bind policy, since it has the same security requirements?
that might change in the future anyway. I'd keep it separate.
Well, it is possible but I don't think it is good. Unbound is recursive-only
nameserver, it is not authoritative server as named. Unbound policy can be far
more stricter than named's one. But if you think reuse of named policy makes
more sence simply reuse it, I might be "security-paranoid" ;)
(In reply to comment #4)
> that might change in the future anyway. I'd keep it separate.
Both are DNS servers so I don't expect major differences.
If unbound needs less privs then bind, fine we can add a boolean to turn off privs. But adding an additional policy for basically the same security domain is a mistake.
If we find they become very different in the future, we can separate the policy. But I think they are more similar then different, lastly there is probably little likelyhood that you would have bind data on the same machine as unbound, so I don't see them attacking each other.
I think quite a few people will test with unbound having bind as a backup, or even using both on different IP's on the same box, while testing out things like DNSSEC.
But we've tried to ensure that bind and unbound use the same files for DNSSEC keys and all.
(In reply to comment #7)
> I think quite a few people will test with unbound having bind as a backup, or
> even using both on different IP's on the same box, while testing out things
> like DNSSEC.
I can imagine someone will use unbound and named on same box so one policy won't be good enough (unbound will be allowed to interfere named and opposite).
That may be true, but for those users they are going to have to do some special stuff anyways to prevent the two domains from attacking each other since they both can use dns ports. Adding the following to F10 and Rawhide Policy.
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
Fixed in selinux-policy-3.5.13-33.fc10
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here: