On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote:
On Mon, Mar 15, 2010 at 19:09, John Griffiths
<fedora03(a)grifent.com> wrote:
> I use postfix and have for a long time.
>
> I put the certificates in:
>
> /etc/pki/tls/certs and /etc/pki/tls/private .
>
> The standard selinux policy works without modification on Fedora 12.
>
> Regards,
> John
Hi John,
The policy in F-12 works, but it's to open IMHO.
/etc/pki/tls/private is also labeled as cert_t.
All applications who can read cert_t can read this directory. I want
to restrict access to only postfix.
Security vs. usability is always a trade off. Obviously the designers of the policy think
it is not worth it.
However, the good news is that policy is just configuration. SELinux is a framework that
allows you to define whatever policy you like.
So you you, if you wanted, create a custom policy module or modify exisitng policy to
implement your requirements.
You would for example declare a (file) type and give only postfix access to read it:
mypostfix.te:
policy_module(mypostfix, 1.0.0)
type mypostfix_cert_t;
files_type(mypostfix_cert_t)
optional_policy(`
gen_require(`
type postfix_master_t;
')
read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t)
')
mypostfix.fc
/etc/postfix/certs(/.*)? gen_context(system_u:object_r:mypostfix_cert_t, s0)
compile/install:
make -f /usr/share/selinux/devel/Makefile mypostfix.pp
sudo semodule -i mypostfix.pp
restore context /etc/postfix/certs:
restorecon -R -v /etc/postfix/certs
Regards,
Ruben
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux