location of postfix ssl certificates
Dominick Grift
domg472 at gmail.com
Sun Mar 14 22:21:07 UTC 2010
On Sun, Mar 14, 2010 at 06:44:17PM +0100, Ruben Kerkhof wrote:
> On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472 at gmail.com> wrote:
> > On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote:
> >> Hi all,
> >>
> >> I was wondering what would be the best place to store tls certificates
> >> for postfix.
> >> Right now, we store them in /var, which is denied by the policy.
> >>
> >> The policy allows postfix files_read_usr_files (for openssl, that's
> >> what the comment above it says) but wouldn't it be better to store
> >> them under /etc/pki?
> >> Maybe there should be a postfix_cert_t or something?
> >
> > I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix
>
> Thanks, I've put them in /etc/pki for now, postfix has
> files_read_etc_files so it's allowed to read the keys.
> On the other hand, all other applications with files_read_etc_files can too.
Sorry i meant something like /etc/pki/tls/certs
And then you would give postfix access to read certificates with miscfiles_read_certs(postfix_t) (i think it was)
>
> An alternative is /etc/postfix, but it looks to me like postfix has
> write access to all files therein.
> It shouldn't be allowed to write it's own configfiles, and especially
> not my private keys :-)
If that is true then that is indeed a bad idea.
>
> Unless I'm misinterpreting the policy of course...
>
> Thanks,
>
> Ruben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100314/0d3de060/attachment.bin
More information about the selinux
mailing list