location of postfix ssl certificates
Ruben Kerkhof
ruben at rubenkerkhof.com
Mon Mar 15 17:27:43 UTC 2010
On Mon, Mar 15, 2010 at 03:29, Daniel J Walsh <dwalsh at redhat.com> wrote:
> On 03/14/2010 05:28 AM, Ruben Kerkhof wrote:
>>
>> Hi all,
>>
>> I was wondering what would be the best place to store tls certificates
>> for postfix.
>> Right now, we store them in /var, which is denied by the policy.
>>
>> The policy allows postfix files_read_usr_files (for openssl, that's
>> what the comment above it says) but wouldn't it be better to store
>> them under /etc/pki?
>> Maybe there should be a postfix_cert_t or something?
>>
>> Regards,
>>
>> Ruben
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
> sesearch -A -s postfix_t -t cert_t
> Found 3 semantic av rules:
> allow postfix_master_t cert_t : file { ioctl read getattr lock open } ;
> allow postfix_master_t cert_t : dir { ioctl read getattr lock search open
> } ;
> allow postfix_master_t cert_t : lnk_file { read getattr } ;
>
> # matchpathcon /etc/pki/
> /etc/pki system_u:object_r:cert_t:s0
>
>
> Looks like a good place to store them.
Yeah, but what about all other applications which are allow to read
files labeled cert_t?
I don't mind for certificates, but they can't be allowed to read
postfix private keys.
Something I can fix with filesystem permissions, but selinux should be
there as a safety net, right?
I could label the keys postfix_etc_t, but postfix itself is allowed to
write to those types of files.
So something like postfix_private_key_t should be ok.
How does selinux do this for other applications like apache?
Thanks,
Ruben
More information about the selinux
mailing list