location of postfix ssl certificates
On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472@gmail.com> wrote:
> On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote: >> Hi all, >> >> I was wondering what would be the best place to store tls certificates >> for postfix. >> Right now, we store them in /var, which is denied by the policy. >> >> The policy allows postfix files_read_usr_files (for openssl, that's >> what the comment above it says) but wouldn't it be better to store >> them under /etc/pki? >> Maybe there should be a postfix_cert_t or something? > > I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix Thanks, I've put them in /etc/pki for now, postfix has files_read_etc_files so it's allowed to read the keys. On the other hand, all other applications with files_read_etc_files can too. An alternative is /etc/postfix, but it looks to me like postfix has write access to all files therein. It shouldn't be allowed to write it's own configfiles, and especially not my private keys :-) Unless I'm misinterpreting the policy of course... Thanks, Ruben -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
location of postfix ssl certificates
On Sun, Mar 14, 2010 at 06:44:17PM +0100, Ruben Kerkhof wrote:
> On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472@gmail.com> wrote: > > On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote: > >> Hi all, > >> > >> I was wondering what would be the best place to store tls certificates > >> for postfix. > >> Right now, we store them in /var, which is denied by the policy. > >> > >> The policy allows postfix files_read_usr_files (for openssl, that's > >> what the comment above it says) but wouldn't it be better to store > >> them under /etc/pki? > >> Maybe there should be a postfix_cert_t or something? > > > > I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix > > Thanks, I've put them in /etc/pki for now, postfix has > files_read_etc_files so it's allowed to read the keys. > On the other hand, all other applications with files_read_etc_files can too. Sorry i meant something like /etc/pki/tls/certs And then you would give postfix access to read certificates with miscfiles_read_certs(postfix_t) (i think it was) > > An alternative is /etc/postfix, but it looks to me like postfix has > write access to all files therein. > It shouldn't be allowed to write it's own configfiles, and especially > not my private keys :-) If that is true then that is indeed a bad idea. > > Unless I'm misinterpreting the policy of course... > > Thanks, > > Ruben -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
location of postfix ssl certificates
On 03/14/2010 05:28 AM, Ruben Kerkhof wrote:
> Hi all, > > I was wondering what would be the best place to store tls certificates > for postfix. > Right now, we store them in /var, which is denied by the policy. > > The policy allows postfix files_read_usr_files (for openssl, that's > what the comment above it says) but wouldn't it be better to store > them under /etc/pki? > Maybe there should be a postfix_cert_t or something? > > Regards, > > Ruben > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > sesearch -A -s postfix_t -t cert_t Found 3 semantic av rules: allow postfix_master_t cert_t : file { ioctl read getattr lock open } ; allow postfix_master_t cert_t : dir { ioctl read getattr lock search open } ; allow postfix_master_t cert_t : lnk_file { read getattr } ; # matchpathcon /etc/pki/ /etc/pki system_u:object_r:cert_t:s0 Looks like a good place to store them. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
location of postfix ssl certificates
On Mon, Mar 15, 2010 at 03:29, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 03/14/2010 05:28 AM, Ruben Kerkhof wrote: >> >> Hi all, >> >> I was wondering what would be the best place to store tls certificates >> for postfix. >> Right now, we store them in /var, which is denied by the policy. >> >> The policy allows postfix files_read_usr_files (for openssl, that's >> what the comment above it says) but wouldn't it be better to store >> them under /etc/pki? >> Maybe there should be a postfix_cert_t or something? >> >> Regards, >> >> Ruben >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> > > sesearch -A -s postfix_t -t cert_t > Found 3 semantic av rules: > * allow postfix_master_t cert_t : file { ioctl read getattr lock open } ; > * allow postfix_master_t cert_t : dir { ioctl read getattr lock search open > } ; > * allow postfix_master_t cert_t : lnk_file { read getattr } ; > > # matchpathcon */etc/pki/ > /etc/pki * *system_u:object_r:cert_t:s0 > > > Looks like a good place to store them. Yeah, but what about all other applications which are allow to read files labeled cert_t? I don't mind for certificates, but they can't be allowed to read postfix private keys. Something I can fix with filesystem permissions, but selinux should be there as a safety net, right? I could label the keys postfix_etc_t, but postfix itself is allowed to write to those types of files. So something like postfix_private_key_t should be ok. How does selinux do this for other applications like apache? Thanks, Ruben -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
location of postfix ssl certificates
I use postfix and have for a long time.
I put the certificates in: /etc/pki/tls/certs and /etc/pki/tls/private . The standard selinux policy works without modification on Fedora 12. Regards, John -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
location of postfix ssl certificates
On Mon, Mar 15, 2010 at 19:09, John Griffiths <fedora03@grifent.com> wrote:
> I use postfix and have for a long time. > > I put the certificates in: > > /etc/pki/tls/certs and /etc/pki/tls/private . > > The standard selinux policy works without modification on Fedora 12. > > Regards, > John Hi John, The policy in F-12 works, but it's to open IMHO. /etc/pki/tls/private is also labeled as cert_t. All applications who can read cert_t can read this directory. I want to restrict access to only postfix. Regards, Ruben -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
location of postfix ssl certificates
On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote:
> On Mon, Mar 15, 2010 at 19:09, John Griffiths <fedora03@grifent.com> wrote: > > I use postfix and have for a long time. > > > > I put the certificates in: > > > > /etc/pki/tls/certs and /etc/pki/tls/private . > > > > The standard selinux policy works without modification on Fedora 12. > > > > Regards, > > John > > Hi John, > > The policy in F-12 works, but it's to open IMHO. > /etc/pki/tls/private is also labeled as cert_t. > All applications who can read cert_t can read this directory. I want > to restrict access to only postfix. Security vs. usability is always a trade off. Obviously the designers of the policy think it is not worth it. However, the good news is that policy is just configuration. SELinux is a framework that allows you to define whatever policy you like. So you you, if you wanted, create a custom policy module or modify exisitng policy to implement your requirements. You would for example declare a (file) type and give only postfix access to read it: mypostfix.te: policy_module(mypostfix, 1.0.0) type mypostfix_cert_t; files_type(mypostfix_cert_t) optional_policy(` gen_require(` type postfix_master_t; ') read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t) ') mypostfix.fc /etc/postfix/certs(/.*)? gen_context(system_u:object_r:mypostfix_cert_t, s0) compile/install: make -f /usr/share/selinux/devel/Makefile mypostfix.pp sudo semodule -i mypostfix.pp restore context /etc/postfix/certs: restorecon -R -v /etc/postfix/certs > > Regards, > > Ruben > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 08:49 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.