<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
<br>
<blockquote cite="mid:20080209170011.C842972F06@hormel.redhat.com"
type="cite"><br>
<table class="header-part1" border="0" cellpadding="0" cellspacing="0"
width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Subject:
</div>
Re: host certificates & keys</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">From: </div>
"Stanisław T. Findeisen" <a class="moz-txt-link-rfc2396E" href="mailto:sf181257@students.mimuw.edu.pl"><sf181257@students.mimuw.edu.pl></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Date: </div>
Fri, 08 Feb 2008 20:00:10 +0100</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">To: </div>
Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a></td>
</tr>
</tbody>
</table>
<table class="header-part2" border="0" cellpadding="0" cellspacing="0"
width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">To: </div>
Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">CC: </div>
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a></td>
</tr>
</tbody>
</table>
<table class="header-part3" border="0" cellpadding="0" cellspacing="0"
width="100%">
<tbody>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Content-Transfer-Encoding:
</div>
7bit</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Precedence:
</div>
junk</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">MIME-Version:
</div>
1.0</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">References:
</div>
<a class="moz-txt-link-rfc2396E" href="mailto:47AC7859.6050003@students.mimuw.edu.pl"><47AC7859.6050003@students.mimuw.edu.pl></a>
<a class="moz-txt-link-rfc2396E" href="mailto:47AC7DFF.40908@redhat.com"><47AC7DFF.40908@redhat.com></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">In-Reply-To:
</div>
<a class="moz-txt-link-rfc2396E" href="mailto:47AC7DFF.40908@redhat.com"><47AC7DFF.40908@redhat.com></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Message-ID:
</div>
<a class="moz-txt-link-rfc2396E" href="mailto:47ACA6BA.8060000@students.mimuw.edu.pl"><47ACA6BA.8060000@students.mimuw.edu.pl></a></td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Content-Type:
</div>
text/plain; charset=ISO-8859-2; format=flowed</td>
</tr>
<tr>
<td>
<div class="headerdisplayname" style="display: inline;">Message:
</div>
2</td>
</tr>
</tbody>
</table>
<br>
Daniel J Walsh wrote:
<br>
<blockquote type="cite">
<blockquote type="cite">Are there any standard ways to add
certificate and private key files to
<br>
services like Postfix (SMTP) or Dovecot (POP3/IMAP) to enable them use
TLS?
<br>
</blockquote>
<br>
I don't see this as an SELinux question?
<br>
</blockquote>
<br>
Can I add them anywhere, name them as I wish, give them any SELinux
labels and permissions and SELinux will allow read access to them?
<br>
</blockquote>
The standard place to put them is /etc/pki . Dovecot installs a
directory there for secure POP and IMAP and you put them
./dovecot/private or ./dovecot/certs. The default name is dovecot.pem
for both private and certs. If you use another name, just make the
entry in dovecot.conf match and uncomment the lines for ssl_cert_file
and ssl_key_file.<br>
<br>
There are similar locations for tls in the /etc/pki directory.<br>
<br>
The files should pickup the correct selinux context but if they don't,
it is system_u:object_r:cert_t for ./dovecot/private/dovecot.pem and
system_u:object_r:dovecot_cert_t for ./dovecot/certs/dovecot.pem.<br>
<br>
Use the tls/certs/Makefile in to make the proper certs for tls. All the
tls certs get system_u:object_r:cert_t .<br>
<br>
Regards,<br>
John<br>
<br>
<br>
<br>
<br>
<blockquote cite="mid:20080209170011.C842972F06@hormel.redhat.com"
type="cite"><br>
This would probably mean, that SELinux policies deployed in Fedora are
somewhat too liberal?...
<br>
<br>
STF
<br>
<br>
<br>
<pre wrap="">
<hr size="4" width="90%">
--
fedora-selinux-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a></pre>
</blockquote>
</body>
</html>