Re: host certificates & keys

[John Griffiths <fedora02 grifent com>]

Subject:

Re: host certificates & keys

From:

"Stanisław T. Findeisen" <sf181257 students mimuw edu pl>

Date:

Fri, 08 Feb 2008 20:00:10 +0100

To:

Daniel J Walsh <dwalsh redhat com>

To:

Daniel J Walsh <dwalsh redhat com>

CC:

fedora-selinux-list redhat com

Content-Transfer-Encoding:

7bit

Precedence:

junk

MIME-Version:

1.0

References:

<47AC7859 6050003 students mimuw edu pl> <47AC7DFF 40908 redhat com>

In-Reply-To:

<47AC7DFF 40908 redhat com>

Message-ID:

<47ACA6BA 8060000 students mimuw edu pl>

Content-Type:

text/plain; charset=ISO-8859-2; format=flowed

Message:

2

Daniel J Walsh wrote:

Are there any standard ways to add certificate and private key files to
services like Postfix (SMTP) or Dovecot (POP3/IMAP) to enable them use TLS?

I don't see this as an SELinux question?

Can I add them anywhere, name them as I wish, give them any SELinux labels and permissions and SELinux will allow read access to them?

The standard place to put them is /etc/pki . Dovecot installs a directory there for secure POP and IMAP and you put them ./dovecot/private or ./dovecot/certs. The default name is dovecot.pem for both private and certs. If you use another name, just make the entry in dovecot.conf match and uncomment the lines for ssl_cert_file and ssl_key_file.

There are similar locations for tls in the /etc/pki directory.

The files should pickup the correct selinux context but if they don't, it is system_u:object_r:cert_t for ./dovecot/private/dovecot.pem and system_u:object_r:dovecot_cert_t for ./dovecot/certs/dovecot.pem.

Use the tls/certs/Makefile in to make the proper certs for tls. All the tls certs get system_u:object_r:cert_t .

Regards,
John

This would probably mean, that SELinux policies deployed in Fedora are somewhat too liberal?...

STF

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list