This patchset updates the postfix (and mta) policy with various changes:
Sven Vermeulen (6):
Mark the pid directory as a pid directory
Add in transitions for queue types when the queues are created
Fix typo in interface postfix_exec_postqueue
Allow maildelivery to use dotlock files in the mail spool
Allow postfix local to change ownership of mailfiles
Use libexec location for postfix binaries
mta.te | 4 +---
nagios.te | 2 +-
postfix.fc | 7 +++----
postfix.if | 19 ++++++++++++++++++-
postfix.te | 17 ++++++++++++++++-
5 files changed, 39 insertions(+), 10 deletions(-)
--
1.7.8.6
Currently, the policy has the pid directory itself marked as the postfix_spool_t
type. However, when mails are delivered, several postfix daemons need to
add/remove their PID files. It makes much more sense to mark this location as
postfix_var_run_t rather than having file transitions for all these daemons when
they write their PID file.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.fc | 2 +-
postfix.if | 1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/postfix.fc b/postfix.fc
index 1ddfa16..90bf84e 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -46,7 +46,7 @@ ifdef(`distro_redhat', `
/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/postfix.if b/postfix.if
index 46bee12..9f7355b 100644
--- a/postfix.if
+++ b/postfix.if
@@ -57,6 +57,7 @@ template(`postfix_domain_template',`
allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+ allow postfix_$1_t postfix_var_run_t:dir rw_dir_perms;
files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
kernel_read_system_state(postfix_$1_t)
--
1.7.8.6
At startup, postfix creates the missing queue directories inside
/var/spool/postfix. This is done by the master process. However, since the
/var/spool/postfix directory is labeled postfix_spool_t and there were no named
file transitions, all created queues became postfix_spool_t. This meant that an
administrator had to relabel the directories afterwards.
This patch adds in the necessary named file transitions for those directories,
create privileges for the master domain and setattr (to change directory
ownership).
Also add in the fowner capability for the master domain, needed for running
chown on the queue's.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.te | 16 +++++++++++++++-
1 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/postfix.te b/postfix.te
index a1e0f60..d691ed1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -93,7 +93,7 @@ mta_mailserver_delivery(postfix_virtual_t)
#
# chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config fowner };
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -112,15 +112,21 @@ allow postfix_master_t postfix_postdrop_exec_t:file getattr;
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_master_t postfix_prng_t:file rw_file_perms;
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -131,14 +137,22 @@ files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
allow postfix_master_t postfix_spool_bounce_t:file getattr;
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
+
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
+setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
kernel_read_all_sysctls(postfix_master_t)
--
1.7.8.6
To allow domains to execute the postqueue command, they should use
postfix_exec_postqueue, not posftix_exec_postqueue.
Signed-off-by: Sven Vermeulen <[email protected]>
---
nagios.te | 2 +-
postfix.if | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/nagios.te b/nagios.te
index c3e2a2d..b8127bc 100644
--- a/nagios.te
+++ b/nagios.te
@@ -300,7 +300,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
- posftix_exec_postqueue(nagios_mail_plugin_t)
+ postfix_exec_postqueue(nagios_mail_plugin_t)
')
######################################
diff --git a/postfix.if b/postfix.if
index 9f7355b..6b76985 100644
--- a/postfix.if
+++ b/postfix.if
@@ -455,7 +455,8 @@ interface(`postfix_domtrans_postqueue',`
#######################################
## <summary>
-## Execute the master postqueue in the caller domain.
+## Execute the master postqueue in the caller domain. (Deprecated)
+## Please use postfix_exec_postqueue instead
## </summary>
## <param name="domain">
## <summary>
@@ -464,6 +465,21 @@ interface(`postfix_domtrans_postqueue',`
## </param>
#
interface(`posftix_exec_postqueue',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ postfix_exec_postqueue($1)
+')
+
+#######################################
+## <summary>
+## Execute the master postqueue in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_exec_postqueue',`
gen_require(`
type postfix_postqueue_exec_t;
')
--
1.7.8.6
When a mail delivery server wants to append mails to the users' mail spool file,
it might also use dotlock files in order to "lock" access to the mail spool
file. This requires the domain file managing rights (create/write/remove) within
the mta_spool_t resource.
Note that this isn't needed if only fcntl locking is used, but most mail
delivery services use dotlock locking as well. Also, since the lock files are
named <username>.lock we cannot create file transitions (towards a lock type) as
we cannot mention the filenames up front.
Signed-off-by: Sven Vermeulen <[email protected]>
---
mta.te | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/mta.te b/mta.te
index 84a7d66..9b0ff1d 100644
--- a/mta.te
+++ b/mta.te
@@ -214,9 +214,7 @@ optional_policy(`
#
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
-create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+manage_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
--
1.7.8.6
Recent postfix releases have their binaries at /usr/libexec instead of /usr/lib.
This patch removes the ifdef for distro_redhat since, even for distributions
that would still have the old locations, having the definitions for the contexts
loaded doesn't hurt.
Add in a small blurb too to reflect the potential deprecation of said contexts.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.fc | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/postfix.fc b/postfix.fc
index 90bf84e..6d61b82 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -1,6 +1,5 @@
# postfix
/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
-ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
@@ -15,7 +14,7 @@ ifdef(`distro_redhat', `
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-', `
+# Older location for postfix binaries, might be cleaned up in near future?
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
@@ -29,7 +28,7 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-')
+
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
--
1.7.8.6
When the postfix local service delivers a file to a user mailbox, but that
mailbox doesn't exist, then the service creates the mailbox and wants to change
the ownership of the file. This needs the chown capability.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/postfix.te b/postfix.te
index d691ed1..e50742e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -278,6 +278,7 @@ optional_policy(`
# Postfix local local policy
#
+allow postfix_local_t self:capability chown;
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
--
1.7.8.6
Hi,
Am Sat, 11 Aug 2012 20:59:54 +0200
schrieb Sven Vermeulen <[email protected]>:
> Recent postfix releases have their binaries at /usr/libexec instead
> of /usr/lib. This patch removes the ifdef for distro_redhat since,
> even for distributions that would still have the old locations,
> having the definitions for the contexts loaded doesn't hurt.
>
> Add in a small blurb too to reflect the potential deprecation of said
> contexts.
I think this is wrong. The FHS still does not contain anything
about /usr/libexec and consequently, debian doesn't have it. I am not
fully aware if this is handled by some /usr/libexec -> /usr/lib build
replacement magic for debian, if it is, then you are of course right
that the old definitions are not needed anymore and might be removed
some time.
Cheers,
Mika
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> postfix.fc | 5 ++---
> 1 files changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/postfix.fc b/postfix.fc
> index 90bf84e..6d61b82 100644
> --- a/postfix.fc
> +++ b/postfix.fc
> @@ -1,6 +1,5 @@
> # postfix
> /etc/postfix(/.*)?
> gen_context(system_u:object_r:postfix_etc_t,s0)
> -ifdef(`distro_redhat', ` /usr/libexec/postfix/.* --
> gen_context(system_u:object_r:postfix_exec_t,s0) /usr/libexec/postfix/cleanup
> --
> gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/libexec/postfix/lmtp
> -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) @@
> -15,7 +14,7 @@ ifdef(`distro_redhat', ` /usr/libexec/postfix/bounce
> --
> gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/libexec/postfix/pipe
> --
> gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/libexec/postfix/virtual
> -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> -', ` +# Older location for postfix binaries, might be cleaned up in
> near future? /usr/lib/postfix/.* --
> gen_context(system_u:object_r:postfix_exec_t,s0) /usr/lib/postfix/cleanup
> --
> gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/lib/postfix/local --
> gen_context(system_u:object_r:postfix_local_exec_t,s0) @@ -29,7 +28,7
> @@ ifdef(`distro_redhat', ` /usr/lib/postfix/bounce --
> gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe --
> gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/lib/postfix/virtual
> -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> -') + /etc/postfix/postfix-script.* --
> gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch --
> gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postcat --
> gen_context(system_u:object_r:postfix_master_exec_t,s0)
--
Own your own computer. Don't use Windows 7. <http://windows7sins.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120811/41bc6946/attachment-0001.bin
On Sat, 2012-08-11 at 20:59 +0200, Sven Vermeulen wrote:
> diff --git a/postfix.if b/postfix.if
> index 46bee12..9f7355b 100644
> --- a/postfix.if
> +++ b/postfix.if
> @@ -57,6 +57,7 @@ template(`postfix_domain_template',`
> allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
>
> allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
> + allow postfix_$1_t postfix_var_run_t:dir rw_dir_perms;
> files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
>
i would change "allow postfix_$1_t postfix_var_run_t:file
manage_file_perms;" to "manage_files_pattern(postfix_$1_t,
postfix_var_run_t, postfix_var_run_t)" rather than adding "allow
postfix_$1_t postfix_var_run_t:dir rw_dir_perms;".
This is what that pattern is for.
define(`manage_files_pattern',`
allow $1 $2:dir rw_dir_perms;
allow $1 $3:file manage_file_perms;
')
> kernel_read_system_state(postfix_$1_t)
On Sat, 2012-08-11 at 21:27 +0200, Mika Pfl?ger wrote:
> Hi,
>
> Am Sat, 11 Aug 2012 20:59:54 +0200
> schrieb Sven Vermeulen <[email protected]>:
>
> > Recent postfix releases have their binaries at /usr/libexec instead
> > of /usr/lib. This patch removes the ifdef for distro_redhat since,
> > even for distributions that would still have the old locations,
> > having the definitions for the contexts loaded doesn't hurt.
> >
> > Add in a small blurb too to reflect the potential deprecation of said
> > contexts.
>
> I think this is wrong. The FHS still does not contain anything
> about /usr/libexec and consequently, debian doesn't have it. I am not
> fully aware if this is handled by some /usr/libexec -> /usr/lib build
> replacement magic for debian, if it is, then you are of course right
> that the old definitions are not needed anymore and might be removed
> some time.
It doesnt really matter imho. If gentoo has the content now
in /usr/libexec then we need to support both unconditionally.
> Cheers,
>
> Mika
> >
> > Signed-off-by: Sven Vermeulen <[email protected]>
> > ---
> > postfix.fc | 5 ++---
> > 1 files changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/postfix.fc b/postfix.fc
> > index 90bf84e..6d61b82 100644
> > --- a/postfix.fc
> > +++ b/postfix.fc
> > @@ -1,6 +1,5 @@
> > # postfix
> > /etc/postfix(/.*)?
> > gen_context(system_u:object_r:postfix_etc_t,s0)
> > -ifdef(`distro_redhat', ` /usr/libexec/postfix/.* --
> > gen_context(system_u:object_r:postfix_exec_t,s0) /usr/libexec/postfix/cleanup
> > --
> > gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/libexec/postfix/lmtp
> > -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) @@
> > -15,7 +14,7 @@ ifdef(`distro_redhat', ` /usr/libexec/postfix/bounce
> > --
> > gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/libexec/postfix/pipe
> > --
> > gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/libexec/postfix/virtual
> > -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> > -', ` +# Older location for postfix binaries, might be cleaned up in
> > near future? /usr/lib/postfix/.* --
> > gen_context(system_u:object_r:postfix_exec_t,s0) /usr/lib/postfix/cleanup
> > --
> > gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/lib/postfix/local --
> > gen_context(system_u:object_r:postfix_local_exec_t,s0) @@ -29,7 +28,7
> > @@ ifdef(`distro_redhat', ` /usr/lib/postfix/bounce --
> > gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe --
> > gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/lib/postfix/virtual
> > -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> > -') + /etc/postfix/postfix-script.* --
> > gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch --
> > gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postcat --
> > gen_context(system_u:object_r:postfix_master_exec_t,s0)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hi,
Am Sun, 12 Aug 2012 11:58:02 +0200
schrieb Dominick Grift <[email protected]>:
> On Sat, 2012-08-11 at 21:27 +0200, Mika Pfl?ger wrote:
> > Hi,
> >
> > Am Sat, 11 Aug 2012 20:59:54 +0200
> > schrieb Sven Vermeulen <[email protected]>:
> >
> > > Recent postfix releases have their binaries at /usr/libexec
> > > instead of /usr/lib. This patch removes the ifdef for
> > > distro_redhat since, even for distributions that would still have
> > > the old locations, having the definitions for the contexts loaded
> > > doesn't hurt.
> > >
> > > Add in a small blurb too to reflect the potential deprecation of
> > > said contexts.
> >
> > I think this is wrong. The FHS still does not contain anything
> > about /usr/libexec and consequently, debian doesn't have it. I am
> > not fully aware if this is handled by some /usr/libexec -> /usr/lib
> > build replacement magic for debian, if it is, then you are of
> > course right that the old definitions are not needed anymore and
> > might be removed some time.
>
> It doesnt really matter imho. If gentoo has the content now
> in /usr/libexec then we need to support both unconditionally.
I was talking about the "small blurb to reflect the potential
deprecation of said contexts.", specifically the line
> +# Older location for postfix binaries, might be cleaned up in near \
> future?
from the patch. Sorry for the confusing citation of the whole
description.
I am not at all opposed to have both contexts unconditionally - I just
don't want the /usr/lib contexts to go away in the near future with
debian then patching them conditionally in again.
Cheers,
Mika
> > > Signed-off-by: Sven Vermeulen <[email protected]>
> > > ---
> > > postfix.fc | 5 ++---
> > > 1 files changed, 2 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/postfix.fc b/postfix.fc
> > > index 90bf84e..6d61b82 100644
> > > --- a/postfix.fc
> > > +++ b/postfix.fc
> > > @@ -1,6 +1,5 @@
> > > # postfix
> > > /etc/postfix(/.*)?
> > > gen_context(system_u:object_r:postfix_etc_t,s0)
> > > -ifdef(`distro_redhat', ` /usr/libexec/postfix/.* --
> > > gen_context(system_u:object_r:postfix_exec_t,s0) /usr/libexec/postfix/cleanup
> > > --
> > > gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/libexec/postfix/lmtp
> > > -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) @@
> > > -15,7 +14,7 @@ ifdef(`distro_redhat',
> > > ` /usr/libexec/postfix/bounce --
> > > gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/libexec/postfix/pipe
> > > --
> > > gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/libexec/postfix/virtual
> > > -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> > > -', ` +# Older location for postfix binaries, might be cleaned up
> > > in near future? /usr/lib/postfix/.* --
> > > gen_context(system_u:object_r:postfix_exec_t,s0) /usr/lib/postfix/cleanup
> > > --
> > > gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/lib/postfix/local --
> > > gen_context(system_u:object_r:postfix_local_exec_t,s0) @@ -29,7
> > > +28,7 @@ ifdef(`distro_redhat',
> > > ` /usr/lib/postfix/bounce --
> > > gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe --
> > > gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/lib/postfix/virtual
> > > --
> > > gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -')
> > > + /etc/postfix/postfix-script.* --
> > > gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch --
> > > gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postcat --
> > > gen_context(system_u:object_r:postfix_master_exec_t,s0)
> >
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Own your own computer. Don't use Windows 7. <http://windows7sins.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120812/f0480a86/attachment.bin
On Sun, 2012-08-12 at 16:42 +0200, Mika Pfl?ger wrote:
> Hi,
>
> Am Sun, 12 Aug 2012 11:58:02 +0200
> schrieb Dominick Grift <[email protected]>:
>
> > On Sat, 2012-08-11 at 21:27 +0200, Mika Pfl?ger wrote:
> > > Hi,
> > >
> > > Am Sat, 11 Aug 2012 20:59:54 +0200
> > > schrieb Sven Vermeulen <[email protected]>:
> > >
> > > > Recent postfix releases have their binaries at /usr/libexec
> > > > instead of /usr/lib. This patch removes the ifdef for
> > > > distro_redhat since, even for distributions that would still have
> > > > the old locations, having the definitions for the contexts loaded
> > > > doesn't hurt.
> > > >
> > > > Add in a small blurb too to reflect the potential deprecation of
> > > > said contexts.
> > >
> > > I think this is wrong. The FHS still does not contain anything
> > > about /usr/libexec and consequently, debian doesn't have it. I am
> > > not fully aware if this is handled by some /usr/libexec -> /usr/lib
> > > build replacement magic for debian, if it is, then you are of
> > > course right that the old definitions are not needed anymore and
> > > might be removed some time.
> >
> > It doesnt really matter imho. If gentoo has the content now
> > in /usr/libexec then we need to support both unconditionally.
>
> I was talking about the "small blurb to reflect the potential
> deprecation of said contexts.", specifically the line
> > +# Older location for postfix binaries, might be cleaned up in near \
> > future?
>
> from the patch. Sorry for the confusing citation of the whole
> description.
>
> I am not at all opposed to have both contexts unconditionally - I just
> don't want the /usr/lib contexts to go away in the near future with
> debian then patching them conditionally in again.
Oh right i agree, then i misunderstood, and yes the comment is not
needed imho.
> Cheers,
>
> Mika
>
>
>
> > > > Signed-off-by: Sven Vermeulen <[email protected]>
> > > > ---
> > > > postfix.fc | 5 ++---
> > > > 1 files changed, 2 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/postfix.fc b/postfix.fc
> > > > index 90bf84e..6d61b82 100644
> > > > --- a/postfix.fc
> > > > +++ b/postfix.fc
> > > > @@ -1,6 +1,5 @@
> > > > # postfix
> > > > /etc/postfix(/.*)?
> > > > gen_context(system_u:object_r:postfix_etc_t,s0)
> > > > -ifdef(`distro_redhat', ` /usr/libexec/postfix/.* --
> > > > gen_context(system_u:object_r:postfix_exec_t,s0) /usr/libexec/postfix/cleanup
> > > > --
> > > > gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/libexec/postfix/lmtp
> > > > -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) @@
> > > > -15,7 +14,7 @@ ifdef(`distro_redhat',
> > > > ` /usr/libexec/postfix/bounce --
> > > > gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/libexec/postfix/pipe
> > > > --
> > > > gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/libexec/postfix/virtual
> > > > -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
> > > > -', ` +# Older location for postfix binaries, might be cleaned up
> > > > in near future? /usr/lib/postfix/.* --
> > > > gen_context(system_u:object_r:postfix_exec_t,s0) /usr/lib/postfix/cleanup
> > > > --
> > > > gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/lib/postfix/local --
> > > > gen_context(system_u:object_r:postfix_local_exec_t,s0) @@ -29,7
> > > > +28,7 @@ ifdef(`distro_redhat',
> > > > ` /usr/lib/postfix/bounce --
> > > > gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe --
> > > > gen_context(system_u:object_r:postfix_pipe_exec_t,s0) /usr/lib/postfix/virtual
> > > > --
> > > > gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -')
> > > > + /etc/postfix/postfix-script.* --
> > > > gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch --
> > > > gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postcat --
> > > > gen_context(system_u:object_r:postfix_master_exec_t,s0)
> > >
> > >
> > >
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy