From: russell@coker.com.au (Russell Coker)
Date: Tue, 3 Jul 2012 21:53:14 +1000
Subject: [refpolicy] pptp_t vs pppd_t
In-Reply-To: <4FF2D4EE.6050805@redhat.com>
References: <201207031543.56296.russell@coker.com.au>
	<4FF2D4EE.6050805@redhat.com>
Message-ID: <201207032153.15255.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 3 Jul 2012, Daniel J Walsh <dwalsh@redhat.com> wrote:
> I really believe we should consolidate the mail domains.  mail_t instead of
> sendmail_t, postfix_t, qmail_t, dovecot_t, courier_t ...

Sendmail works differently from all the modern MTAs in terms of separating 
different tasks to run with minimum privs.

For postfix and similar MTAs it's best to have separate privs for the local 
delivery agent which is granted a lot of access to the system (writing to user 
home directories) and also having a separate domain for writing to the queue 
dir that can't do anything else is also a good idea.

dovecot_t and courier_t are used for POP and IMAP, we could have an imap_t 
instead as in the rare cases where someone has two different POP or IMAP 
servers installed on one system they probably don't need to separate them.  
But the POP/IMAP server really needs to be separated from the MTA.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/