On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472@xxxxxxxxx> wrote: > On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote: >> Hi all, >> >> I was wondering what would be the best place to store tls certificates >> for postfix. >> Right now, we store them in /var, which is denied by the policy. >> >> The policy allows postfix files_read_usr_files (for openssl, that's >> what the comment above it says) but wouldn't it be better to store >> them under /etc/pki? >> Maybe there should be a postfix_cert_t or something? > > I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix Thanks, I've put them in /etc/pki for now, postfix has files_read_etc_files so it's allowed to read the keys. On the other hand, all other applications with files_read_etc_files can too. An alternative is /etc/postfix, but it looks to me like postfix has write access to all files therein. It shouldn't be allowed to write it's own configfiles, and especially not my private keys :-) Unless I'm misinterpreting the policy of course... Thanks, Ruben -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
