Re: host certificates & keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 







Subject:
Re: host certificates & keys
From:
"Stanisław T. Findeisen" <sf181257@xxxxxxxxxxxxxxxxxxxxx>
Date:
Fri, 08 Feb 2008 20:00:10 +0100
To:
Daniel J Walsh <dwalsh@xxxxxxxxxx>
To:
Daniel J Walsh <dwalsh@xxxxxxxxxx>
CC:
fedora-selinux-list@xxxxxxxxxx
Content-Transfer-Encoding:
7bit
Precedence:
junk
MIME-Version:
1.0
References:
<47AC7859.6050003@xxxxxxxxxxxxxxxxxxxxx> <47AC7DFF.40908@xxxxxxxxxx>
In-Reply-To:
<47AC7DFF.40908@xxxxxxxxxx>
Message-ID:
<47ACA6BA.8060000@xxxxxxxxxxxxxxxxxxxxx>
Content-Type:
text/plain; charset=ISO-8859-2; format=flowed
Message:
2

Daniel J Walsh wrote:
Are there any standard ways to add certificate and private key files to
services like Postfix (SMTP) or Dovecot (POP3/IMAP) to enable them use TLS?

I don't see this as an SELinux question?

Can I add them anywhere, name them as I wish, give them any SELinux labels and permissions and SELinux will allow read access to them?
The standard place to put them is /etc/pki . Dovecot installs a directory there for secure POP and IMAP and you put them ./dovecot/private or ./dovecot/certs. The default name is dovecot.pem for both private and certs. If you use another name, just make the entry in dovecot.conf match and uncomment the lines for ssl_cert_file and ssl_key_file.

There are similar locations for tls in the /etc/pki directory.

The files should pickup the correct selinux context but if they don't, it is system_u:object_r:cert_t for ./dovecot/private/dovecot.pem and system_u:object_r:dovecot_cert_t for ./dovecot/certs/dovecot.pem.

Use the tls/certs/Makefile in to make the proper certs for tls. All the tls certs get system_u:object_r:cert_t .

Regards,
John





This would probably mean, that SELinux policies deployed in Fedora are somewhat too liberal?...

STF



-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux