From: russell@coker.com.au (Russell Coker) Date: Tue, 3 Jul 2012 21:53:14 +1000 Subject: [refpolicy] pptp_t vs pppd_t In-Reply-To: <4FF2D4EE.6050805@redhat.com> References: <201207031543.56296.russell@coker.com.au> <4FF2D4EE.6050805@redhat.com> Message-ID: <201207032153.15255.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 3 Jul 2012, Daniel J Walsh wrote: > I really believe we should consolidate the mail domains. mail_t instead of > sendmail_t, postfix_t, qmail_t, dovecot_t, courier_t ... Sendmail works differently from all the modern MTAs in terms of separating different tasks to run with minimum privs. For postfix and similar MTAs it's best to have separate privs for the local delivery agent which is granted a lot of access to the system (writing to user home directories) and also having a separate domain for writing to the queue dir that can't do anything else is also a good idea. dovecot_t and courier_t are used for POP and IMAP, we could have an imap_t instead as in the rare cases where someone has two different POP or IMAP servers installed on one system they probably don't need to separate them. But the POP/IMAP server really needs to be separated from the MTA. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/