On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote:
On Mon, Mar 15, 2010 at 19:09, John Griffiths
> I use postfix and have for a long time.
> I put the certificates in:
> /etc/pki/tls/certs and /etc/pki/tls/private .
> The standard selinux policy works without modification on Fedora 12.
The policy in F-12 works, but it's to open IMHO.
/etc/pki/tls/private is also labeled as cert_t.
All applications who can read cert_t can read this directory. I want
to restrict access to only postfix.
Security vs. usability is always a trade off. Obviously the designers of the policy think
it is not worth it.
However, the good news is that policy is just configuration. SELinux is a framework that
allows you to define whatever policy you like.
So you you, if you wanted, create a custom policy module or modify exisitng policy to
implement your requirements.
You would for example declare a (file) type and give only postfix access to read it:
read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t)
/etc/postfix/certs(/.*)? gen_context(system_u:object_r:mypostfix_cert_t, s0)
make -f /usr/share/selinux/devel/Makefile mypostfix.pp
sudo semodule -i mypostfix.pp
restore context /etc/postfix/certs:
restorecon -R -v /etc/postfix/certs
selinux mailing list