The original qmail module explicitly marked /var/qmail directory as
var_t as this location is nothing more than a generic root location. The
actual qmail specifics are subdirectories in this location.
Most domains that use qmail components do not expect this location to be
qmail_etc_t.
Changes since v2
- Use .+ instead of (.*)? expression as suggested on #selinux
Signed-off-by: Sven Vermeulen <[email protected]>
---
qmail.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/qmail.fc b/qmail.fc
index e53fe5a..d78c77d 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -32,6 +32,6 @@
/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/.+ gen_context(system_u:object_r:qmail_etc_t,s0)
/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
--
1.8.5.5
The problem with this change, is it would break a confined admin. If a
confined admin tried to create new content in /var/qmail he would be denied.
On 05/28/2014 01:11 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
>
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.
>
> Changes since v2
> - Use .+ instead of (.*)? expression as suggested on #selinux
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> qmail.fc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/qmail.fc b/qmail.fc
> index e53fe5a..d78c77d 100644
> --- a/qmail.fc
> +++ b/qmail.fc
> @@ -32,6 +32,6 @@
> /var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
> /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
>
> -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
> +/var/qmail/.+ gen_context(system_u:object_r:qmail_etc_t,s0)
>
> /var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
On Wed, May 28, 2014 at 01:51:23PM -0400, Daniel J Walsh wrote:
> The problem with this change, is it would break a confined admin. If a
> confined admin tried to create new content in /var/qmail he would be denied.
> > -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
> > +/var/qmail/.+ gen_context(system_u:object_r:qmail_etc_t,s0)
In that case it would make more sense to follow the best practice that is
used by most daemons, that is to label /var/qmail as a qmail-specific
variable type (like qmail_var_t) and have specific files under it as the
configuration type (qmail_etc_t) as needed.
It sucks a bit that qmail has this change structure. It is the original (?)
qmail.fc author that contacted me about this, as the (then NSA-provided)
qmail.fc didn't mark /var/qmail as qmail_etc_t.
Wkr,
Sven Vermeulen
Hi,
I wrote that policy a few years back.
On Wed, May 28, 2014 at 01:51:23PM -0400, Daniel J Walsh wrote:
> The problem with this change, is it would break a confined admin. If a
> confined admin tried to create new content in /var/qmail he would be denied.
> On 05/28/2014 01:11 PM, Sven Vermeulen wrote:
what new content are you refering to?
as far as a standard qmail install goes, the only thing that is customizable once qmail is installed are files inside /var/qmail/alias/ (qmail_alias_home_t) and the configurations inside /var/qmail/control/ (qmail_etc_t).
if /var/qmail ends up being anything else than var_t then all software that uses /var/qmail/bin/sendmail needs to have rights to reach that binary. probably via mta_sendmail_* if tweaks.
on a different note also /var/qmail/queue(/.*)? is currently mislabeled and should be system_u:object_r:qmail_spool_t.
cheers,
peter
> > The original qmail module explicitly marked /var/qmail directory as
> > var_t as this location is nothing more than a generic root location. The
> > actual qmail specifics are subdirectories in this location.
> >
> > Most domains that use qmail components do not expect this location to be
> > qmail_etc_t.
> >
> > Changes since v2
> > - Use .+ instead of (.*)? expression as suggested on #selinux
> >
> > Signed-off-by: Sven Vermeulen <[email protected]>
> > ---
> > qmail.fc | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/qmail.fc b/qmail.fc
> > index e53fe5a..d78c77d 100644
> > --- a/qmail.fc
> > +++ b/qmail.fc
> > @@ -32,6 +32,6 @@
> > /var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
> > /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
> >
> > -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
> > +/var/qmail/.+ gen_context(system_u:object_r:qmail_etc_t,s0)
> >
> > /var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
petre rodan
<[email protected]>
Technical Manager
Simplex SRL, Bucharest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140529/17a3069c/attachment.bin
On 05/28/2014 01:11 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
>
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.
I'm holding off on making any decisions regarding this change, pending resolution to Dan and Petre's questions/concerns.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com