On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote:
> On Mon, Mar 15, 2010 at 19:09, John Griffiths <email@example.com> wrote:
> > I use postfix and have for a long time.
> > I put the certificates in:
> > /etc/pki/tls/certs and /etc/pki/tls/private .
> > The standard selinux policy works without modification on Fedora 12.
> > Regards,
> > John
> Hi John,
> The policy in F-12 works, but it's to open IMHO.
> /etc/pki/tls/private is also labeled as cert_t.
> All applications who can read cert_t can read this directory. I want
> to restrict access to only postfix.
Security vs. usability is always a trade off. Obviously the designers of the policy think it is not worth it.
However, the good news is that policy is just configuration. SELinux is a framework that allows you to define whatever policy you like.
So you you, if you wanted, create a custom policy module or modify exisitng policy to implement your requirements.
You would for example declare a (file) type and give only postfix access to read it:
read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t)
make -f /usr/share/selinux/devel/Makefile mypostfix.pp
sudo semodule -i mypostfix.pp
restore context /etc/postfix/certs:
restorecon -R -v /etc/postfix/certs
> selinux mailing list
selinux mailing list