On 03/14/2010 05:28 AM, Ruben Kerkhof wrote:
Hi all,
I was wondering what would be the best place to store tls certificates
for postfix.
Right now, we store them in /var, which is denied by the policy.
The policy allows postfix files_read_usr_files (for openssl, that's
what the comment above it says) but wouldn't it be better to store
them under /etc/pki?
Maybe there should be a postfix_cert_t or something?
Regards,
Ruben
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
sesearch -A -s postfix_t -t cert_t
Found 3 semantic av rules:
allow postfix_master_t cert_t : file { ioctl read getattr lock open } ;
allow postfix_master_t cert_t : dir { ioctl read getattr lock search
open } ;
allow postfix_master_t cert_t : lnk_file { read getattr } ;
# matchpathcon /etc/pki/
/etc/pki system_u:object_r:cert_t:s0
Looks like a good place to store them.