On Mon, Mar 15, 2010 at 03:29, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
On 03/14/2010 05:28 AM, Ruben Kerkhof wrote:
>
> Hi all,
>
> I was wondering what would be the best place to store tls certificates
> for postfix.
> Right now, we store them in /var, which is denied by the policy.
>
> The policy allows postfix files_read_usr_files (for openssl, that's
> what the comment above it says) but wouldn't it be better to store
> them under /etc/pki?
> Maybe there should be a postfix_cert_t or something?
>
> Regards,
>
> Ruben
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
sesearch -A -s postfix_t -t cert_t
Found 3 semantic av rules:
allow postfix_master_t cert_t : file { ioctl read getattr lock open } ;
allow postfix_master_t cert_t : dir { ioctl read getattr lock search open
} ;
allow postfix_master_t cert_t : lnk_file { read getattr } ;
# matchpathcon /etc/pki/
/etc/pki system_u:object_r:cert_t:s0
Looks like a good place to store them.
Yeah, but what about all other applications which are allow to read
files labeled cert_t?
I don't mind for certificates, but they can't be allowed to read
postfix private keys.
Something I can fix with filesystem permissions, but selinux should be
there as a safety net, right?
I could label the keys postfix_etc_t, but postfix itself is allowed to
write to those types of files.
So something like postfix_private_key_t should be ok.
How does selinux do this for other applications like apache?
Thanks,
Ruben