2014-05-22 17:55:42

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)

The original qmail module explicitly marked /var/qmail directory as
var_t as this location is nothing more than a generic root location. The
actual qmail specifics are subdirectories in this location.

Most domains that use qmail components do not expect this location to be
qmail_etc_t.

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.fc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b876c48..c6c27c3 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -252,6 +252,8 @@ ifndef(`distro_redhat',`
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>

+/var/qmail -d gen_context(system_u:object_r:var_t,s0)
+
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
--
1.8.5.5


2014-05-27 12:53:33

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)

On 05/22/2014 01:55 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
>
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/kernel/files.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index b876c48..c6c27c3 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -252,6 +252,8 @@ ifndef(`distro_redhat',`
> /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /var/lost\+found/.* <<none>>
>
> +/var/qmail -d gen_context(system_u:object_r:var_t,s0)
> +
> /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> /var/run -l gen_context(system_u:object_r:var_run_t,s0)
> /var/run/.* gen_context(system_u:object_r:var_run_t,s0)

It sounds like the file context in the qmail module needs to be fixed to not include /var/qmail instead.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com