On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote: > On Mon, Mar 15, 2010 at 19:09, John Griffiths <fedora03@xxxxxxxxxxx> wrote: > > I use postfix and have for a long time. > > > > I put the certificates in: > > > > /etc/pki/tls/certs and /etc/pki/tls/private . > > > > The standard selinux policy works without modification on Fedora 12. > > > > Regards, > > John > > Hi John, > > The policy in F-12 works, but it's to open IMHO. > /etc/pki/tls/private is also labeled as cert_t. > All applications who can read cert_t can read this directory. I want > to restrict access to only postfix. Security vs. usability is always a trade off. Obviously the designers of the policy think it is not worth it. However, the good news is that policy is just configuration. SELinux is a framework that allows you to define whatever policy you like. So you you, if you wanted, create a custom policy module or modify exisitng policy to implement your requirements. You would for example declare a (file) type and give only postfix access to read it: mypostfix.te: policy_module(mypostfix, 1.0.0) type mypostfix_cert_t; files_type(mypostfix_cert_t) optional_policy(` gen_require(` type postfix_master_t; ') read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t) ') mypostfix.fc /etc/postfix/certs(/.*)? gen_context(system_u:object_r:mypostfix_cert_t, s0) compile/install: make -f /usr/share/selinux/devel/Makefile mypostfix.pp sudo semodule -i mypostfix.pp restore context /etc/postfix/certs: restorecon -R -v /etc/postfix/certs > > Regards, > > Ruben > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpJcL2ga6q1m.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
