location of postfix ssl certificates
Ruben Kerkhof
ruben at rubenkerkhof.com
Sun Mar 14 17:44:17 UTC 2010
On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472 at gmail.com> wrote:
> On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote:
>> Hi all,
>>
>> I was wondering what would be the best place to store tls certificates
>> for postfix.
>> Right now, we store them in /var, which is denied by the policy.
>>
>> The policy allows postfix files_read_usr_files (for openssl, that's
>> what the comment above it says) but wouldn't it be better to store
>> them under /etc/pki?
>> Maybe there should be a postfix_cert_t or something?
>
> I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix
Thanks, I've put them in /etc/pki for now, postfix has
files_read_etc_files so it's allowed to read the keys.
On the other hand, all other applications with files_read_etc_files can too.
An alternative is /etc/postfix, but it looks to me like postfix has
write access to all files therein.
It shouldn't be allowed to write it's own configfiles, and especially
not my private keys :-)
Unless I'm misinterpreting the policy of course...
Thanks,
Ruben
More information about the selinux
mailing list