location of postfix ssl certificates

[Dominick Grift]

On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote:
> On Mon, Mar 15, 2010 at 19:09, John Griffiths <fedora03 at grifent.com> wrote:
> > I use postfix and have for a long time.
> >
> > I put the certificates in:
> >
> > /etc/pki/tls/certs and /etc/pki/tls/private .
> >
> > The standard selinux policy works without modification on Fedora 12.
> >
> > Regards,
> > John
> 
> Hi John,
> 
> The policy in F-12 works, but it's to open IMHO.
> /etc/pki/tls/private is also labeled as cert_t.
> All applications who can read cert_t can read this directory. I want
> to restrict access to only postfix.

Security vs. usability is always a trade off. Obviously the designers of the policy think it is not worth it.
However, the good news is that policy is just configuration. SELinux is a framework that allows you to define whatever policy you like.

So you you, if you wanted, create a custom policy module or modify exisitng policy to implement your requirements.

You would for example declare a (file) type and give only postfix access to read it:


mypostfix.te:
policy_module(mypostfix, 1.0.0)
type mypostfix_cert_t;
files_type(mypostfix_cert_t)
optional_policy(`
gen_require(`
	type postfix_master_t;
')
read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t)
')
mypostfix.fc
/etc/postfix/certs(/.*)? gen_context(system_u:object_r:mypostfix_cert_t, s0)

compile/install:
make -f /usr/share/selinux/devel/Makefile mypostfix.pp
sudo semodule -i mypostfix.pp

restore context /etc/postfix/certs:
restorecon -R -v /etc/postfix/certs



> 
> Regards,
> 
> Ruben
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100315/d9d9f34c/attachment.bin