On 03/14/2010 05:28 AM, Ruben Kerkhof wrote: > Hi all, > > I was wondering what would be the best place to store tls certificates > for postfix. > Right now, we store them in /var, which is denied by the policy. > > The policy allows postfix files_read_usr_files (for openssl, that's > what the comment above it says) but wouldn't it be better to store > them under /etc/pki? > Maybe there should be a postfix_cert_t or something? > > Regards, > > Ruben > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > sesearch -A -s postfix_t -t cert_t Found 3 semantic av rules: allow postfix_master_t cert_t : file { ioctl read getattr lock open } ; allow postfix_master_t cert_t : dir { ioctl read getattr lock search open } ; allow postfix_master_t cert_t : lnk_file { read getattr } ; # matchpathcon /etc/pki/ /etc/pki system_u:object_r:cert_t:s0 Looks like a good place to store them. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
