On Mon, Mar 15, 2010 at 03:29, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > On 03/14/2010 05:28 AM, Ruben Kerkhof wrote: >> >> Hi all, >> >> I was wondering what would be the best place to store tls certificates >> for postfix. >> Right now, we store them in /var, which is denied by the policy. >> >> The policy allows postfix files_read_usr_files (for openssl, that's >> what the comment above it says) but wouldn't it be better to store >> them under /etc/pki? >> Maybe there should be a postfix_cert_t or something? >> >> Regards, >> >> Ruben >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> > > sesearch -A -s postfix_t -t cert_t > Found 3 semantic av rules: > allow postfix_master_t cert_t : file { ioctl read getattr lock open } ; > allow postfix_master_t cert_t : dir { ioctl read getattr lock search open > } ; > allow postfix_master_t cert_t : lnk_file { read getattr } ; > > # matchpathcon /etc/pki/ > /etc/pki system_u:object_r:cert_t:s0 > > > Looks like a good place to store them. Yeah, but what about all other applications which are allow to read files labeled cert_t? I don't mind for certificates, but they can't be allowed to read postfix private keys. Something I can fix with filesystem permissions, but selinux should be there as a safety net, right? I could label the keys postfix_etc_t, but postfix itself is allowed to write to those types of files. So something like postfix_private_key_t should be ok. How does selinux do this for other applications like apache? Thanks, Ruben -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
