FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-14-2010, 04:44 PM
Ruben Kerkhof
 
Default location of postfix ssl certificates

On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472@gmail.com> wrote:
> On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote:
>> Hi all,
>>
>> I was wondering what would be the best place to store tls certificates
>> for postfix.
>> Right now, we store them in /var, which is denied by the policy.
>>
>> The policy allows postfix files_read_usr_files (for openssl, that's
>> what the comment above it says) but wouldn't it be better to store
>> them under /etc/pki?
>> Maybe there should be a postfix_cert_t or something?
>
> I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix

Thanks, I've put them in /etc/pki for now, postfix has
files_read_etc_files so it's allowed to read the keys.
On the other hand, all other applications with files_read_etc_files can too.

An alternative is /etc/postfix, but it looks to me like postfix has
write access to all files therein.
It shouldn't be allowed to write it's own configfiles, and especially
not my private keys :-)

Unless I'm misinterpreting the policy of course...

Thanks,

Ruben
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-14-2010, 09:21 PM
Dominick Grift
 
Default location of postfix ssl certificates

On Sun, Mar 14, 2010 at 06:44:17PM +0100, Ruben Kerkhof wrote:
> On Sun, Mar 14, 2010 at 14:17, Dominick Grift <domg472@gmail.com> wrote:
> > On Sun, Mar 14, 2010 at 10:28:18AM +0100, Ruben Kerkhof wrote:
> >> Hi all,
> >>
> >> I was wondering what would be the best place to store tls certificates
> >> for postfix.
> >> Right now, we store them in /var, which is denied by the policy.
> >>
> >> The policy allows postfix files_read_usr_files (for openssl, that's
> >> what the comment above it says) but wouldn't it be better to store
> >> them under /etc/pki?
> >> Maybe there should be a postfix_cert_t or something?
> >
> > I am not very familiar with postfix and its policy but in my opinion certs should be in /etc/pki indeed. although you could probably also dump them into /etc/postfix
>
> Thanks, I've put them in /etc/pki for now, postfix has
> files_read_etc_files so it's allowed to read the keys.
> On the other hand, all other applications with files_read_etc_files can too.

Sorry i meant something like /etc/pki/tls/certs

And then you would give postfix access to read certificates with miscfiles_read_certs(postfix_t) (i think it was)

>
> An alternative is /etc/postfix, but it looks to me like postfix has
> write access to all files therein.
> It shouldn't be allowed to write it's own configfiles, and especially
> not my private keys :-)

If that is true then that is indeed a bad idea.

>
> Unless I'm misinterpreting the policy of course...
>
> Thanks,
>
> Ruben
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-15-2010, 01:29 AM
Daniel J Walsh
 
Default location of postfix ssl certificates

On 03/14/2010 05:28 AM, Ruben Kerkhof wrote:
> Hi all,
>
> I was wondering what would be the best place to store tls certificates
> for postfix.
> Right now, we store them in /var, which is denied by the policy.
>
> The policy allows postfix files_read_usr_files (for openssl, that's
> what the comment above it says) but wouldn't it be better to store
> them under /etc/pki?
> Maybe there should be a postfix_cert_t or something?
>
> Regards,
>
> Ruben
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
sesearch -A -s postfix_t -t cert_t
Found 3 semantic av rules:
allow postfix_master_t cert_t : file { ioctl read getattr lock open } ;
allow postfix_master_t cert_t : dir { ioctl read getattr lock search
open } ;
allow postfix_master_t cert_t : lnk_file { read getattr } ;

# matchpathcon /etc/pki/
/etc/pki system_ubject_r:cert_t:s0


Looks like a good place to store them.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-15-2010, 04:27 PM
Ruben Kerkhof
 
Default location of postfix ssl certificates

On Mon, Mar 15, 2010 at 03:29, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 03/14/2010 05:28 AM, Ruben Kerkhof wrote:
>>
>> Hi all,
>>
>> I was wondering what would be the best place to store tls certificates
>> for postfix.
>> Right now, we store them in /var, which is denied by the policy.
>>
>> The policy allows postfix files_read_usr_files (for openssl, that's
>> what the comment above it says) but wouldn't it be better to store
>> them under /etc/pki?
>> Maybe there should be a postfix_cert_t or something?
>>
>> Regards,
>>
>> Ruben
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
> sesearch -A -s postfix_t -t cert_t
> Found 3 semantic av rules:
> * allow postfix_master_t cert_t : file { ioctl read getattr lock open } ;
> * allow postfix_master_t cert_t : dir { ioctl read getattr lock search open
> } ;
> * allow postfix_master_t cert_t : lnk_file { read getattr } ;
>
> # matchpathcon */etc/pki/
> /etc/pki * *system_ubject_r:cert_t:s0
>
>
> Looks like a good place to store them.

Yeah, but what about all other applications which are allow to read
files labeled cert_t?
I don't mind for certificates, but they can't be allowed to read
postfix private keys.
Something I can fix with filesystem permissions, but selinux should be
there as a safety net, right?

I could label the keys postfix_etc_t, but postfix itself is allowed to
write to those types of files.

So something like postfix_private_key_t should be ok.
How does selinux do this for other applications like apache?

Thanks,

Ruben
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-15-2010, 05:09 PM
John Griffiths
 
Default location of postfix ssl certificates

I use postfix and have for a long time.

I put the certificates in:

/etc/pki/tls/certs and /etc/pki/tls/private .

The standard selinux policy works without modification on Fedora 12.

Regards,
John
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-15-2010, 06:05 PM
Ruben Kerkhof
 
Default location of postfix ssl certificates

On Mon, Mar 15, 2010 at 19:09, John Griffiths <fedora03@grifent.com> wrote:
> I use postfix and have for a long time.
>
> I put the certificates in:
>
> /etc/pki/tls/certs and /etc/pki/tls/private .
>
> The standard selinux policy works without modification on Fedora 12.
>
> Regards,
> John

Hi John,

The policy in F-12 works, but it's to open IMHO.
/etc/pki/tls/private is also labeled as cert_t.
All applications who can read cert_t can read this directory. I want
to restrict access to only postfix.

Regards,

Ruben
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-15-2010, 06:15 PM
Dominick Grift
 
Default location of postfix ssl certificates

On Mon, Mar 15, 2010 at 08:05:38PM +0100, Ruben Kerkhof wrote:
> On Mon, Mar 15, 2010 at 19:09, John Griffiths <fedora03@grifent.com> wrote:
> > I use postfix and have for a long time.
> >
> > I put the certificates in:
> >
> > /etc/pki/tls/certs and /etc/pki/tls/private .
> >
> > The standard selinux policy works without modification on Fedora 12.
> >
> > Regards,
> > John
>
> Hi John,
>
> The policy in F-12 works, but it's to open IMHO.
> /etc/pki/tls/private is also labeled as cert_t.
> All applications who can read cert_t can read this directory. I want
> to restrict access to only postfix.

Security vs. usability is always a trade off. Obviously the designers of the policy think it is not worth it.
However, the good news is that policy is just configuration. SELinux is a framework that allows you to define whatever policy you like.

So you you, if you wanted, create a custom policy module or modify exisitng policy to implement your requirements.

You would for example declare a (file) type and give only postfix access to read it:


mypostfix.te:
policy_module(mypostfix, 1.0.0)
type mypostfix_cert_t;
files_type(mypostfix_cert_t)
optional_policy(`
gen_require(`
type postfix_master_t;
')
read_files_pattern(postfix_master_t, mypostfix_cert_t, mypostfix_cert_t)
')
mypostfix.fc
/etc/postfix/certs(/.*)? gen_context(system_ubject_r:mypostfix_cert_t, s0)

compile/install:
make -f /usr/share/selinux/devel/Makefile mypostfix.pp
sudo semodule -i mypostfix.pp

restore context /etc/postfix/certs:
restorecon -R -v /etc/postfix/certs



>
> Regards,
>
> Ruben
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 03:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org