On Sun, Mar 14, 2010 at 06:44:17PM +0100, Ruben Kerkhof wrote: > On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472@xxxxxxxxx> wrote: > > On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote: > >> Hi all, > >> > >> I was wondering what would be the best place to store tls certificates > >> for postfix. > >> Right now, we store them in /var, which is denied by the policy. > >> > >> The policy allows postfix files_read_usr_files (for openssl, that's > >> what the comment above it says) but wouldn't it be better to store > >> them under /etc/pki? > >> Maybe there should be a postfix_cert_t or something? > > > > I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix > > Thanks, I've put them in /etc/pki for now, postfix has > files_read_etc_files so it's allowed to read the keys. > On the other hand, all other applications with files_read_etc_files can too. Sorry i meant something like /etc/pki/tls/certs And then you would give postfix access to read certificates with miscfiles_read_certs(postfix_t) (i think it was) > > An alternative is /etc/postfix, but it looks to me like postfix has > write access to all files therein. > It shouldn't be allowed to write it's own configfiles, and especially > not my private keys :-) If that is true then that is indeed a bad idea. > > Unless I'm misinterpreting the policy of course... > > Thanks, > > Ruben
Attachment:
pgpS7xxuV2YqS.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
