<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
<br>
<blockquote cite="mid:20080209170011.C842972F06@hormel.redhat.com"
 type="cite"><br>
  <table class="header-part1" border="0" cellpadding="0" cellspacing="0"
 width="100%">
    <tbody>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Subject:
        </div>
Re: host certificates & keys</td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">From: </div>
"Stanisław T. Findeisen" <a class="moz-txt-link-rfc2396E" href="mailto:sf181257@students.mimuw.edu.pl"><sf181257@students.mimuw.edu.pl></a></td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Date: </div>
Fri, 08 Feb 2008 20:00:10 +0100</td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">To: </div>
Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a></td>
      </tr>
    </tbody>
  </table>
  <table class="header-part2" border="0" cellpadding="0" cellspacing="0"
 width="100%">
    <tbody>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">To: </div>
Daniel J Walsh <a class="moz-txt-link-rfc2396E" href="mailto:dwalsh@redhat.com"><dwalsh@redhat.com></a></td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">CC: </div>
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a></td>
      </tr>
    </tbody>
  </table>
  <table class="header-part3" border="0" cellpadding="0" cellspacing="0"
 width="100%">
    <tbody>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Content-Transfer-Encoding:
        </div>
7bit</td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Precedence:
        </div>
junk</td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">MIME-Version:
        </div>
1.0</td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">References:
        </div>
<a class="moz-txt-link-rfc2396E" href="mailto:47AC7859.6050003@students.mimuw.edu.pl"><47AC7859.6050003@students.mimuw.edu.pl></a>
<a class="moz-txt-link-rfc2396E" href="mailto:47AC7DFF.40908@redhat.com"><47AC7DFF.40908@redhat.com></a></td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">In-Reply-To:
        </div>
<a class="moz-txt-link-rfc2396E" href="mailto:47AC7DFF.40908@redhat.com"><47AC7DFF.40908@redhat.com></a></td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Message-ID:
        </div>
<a class="moz-txt-link-rfc2396E" href="mailto:47ACA6BA.8060000@students.mimuw.edu.pl"><47ACA6BA.8060000@students.mimuw.edu.pl></a></td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Content-Type:
        </div>
text/plain; charset=ISO-8859-2; format=flowed</td>
      </tr>
      <tr>
        <td>
        <div class="headerdisplayname" style="display: inline;">Message:
        </div>
2</td>
      </tr>
    </tbody>
  </table>
  <br>
Daniel J Walsh wrote:
  <br>
  <blockquote type="cite">
    <blockquote type="cite">Are there any standard ways to add
certificate and private key files to
      <br>
services like Postfix (SMTP) or Dovecot (POP3/IMAP) to enable them use
TLS?
      <br>
    </blockquote>
    <br>
I don't see this as an SELinux question?
    <br>
  </blockquote>
  <br>
Can I add them anywhere, name them as I wish, give them any SELinux
labels and permissions and SELinux will allow read access to them?
  <br>
</blockquote>
The standard place to put them is /etc/pki . Dovecot installs a
directory there for secure POP and IMAP and you put them
./dovecot/private or ./dovecot/certs. The default name is dovecot.pem
for both private and certs. If you use another name, just make the
entry in dovecot.conf match and uncomment the lines for ssl_cert_file
and ssl_key_file.<br>
<br>
There are similar locations for tls in the /etc/pki directory.<br>
<br>
The files should pickup the correct selinux context but if they don't,
it is system_u:object_r:cert_t for ./dovecot/private/dovecot.pem and
system_u:object_r:dovecot_cert_t for ./dovecot/certs/dovecot.pem.<br>
<br>
Use the tls/certs/Makefile in to make the proper certs for tls. All the
tls certs get system_u:object_r:cert_t .<br>
<br>
Regards,<br>
John<br>
<br>
<br>
<br>
<br>
<blockquote cite="mid:20080209170011.C842972F06@hormel.redhat.com"
 type="cite"><br>
This would probably mean, that SELinux policies deployed in Fedora are
somewhat too liberal?...
  <br>
  <br>
STF
  <br>
  <br>
  <br>
  <pre wrap="">
<hr size="4" width="90%">
--
fedora-selinux-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:fedora-selinux-list@redhat.com">fedora-selinux-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-selinux-list">https://www.redhat.com/mailman/listinfo/fedora-selinux-list</a></pre>
</blockquote>
</body>
</html>