From: dominick.grift@gmail.com (Dominick Grift)
Date: Sun, 12 Aug 2012 11:54:45 +0200
Subject: [refpolicy] [PATCH v1 1/6] Mark the pid directory as a pid
 directory
In-Reply-To: <1344711594-11687-2-git-send-email-sven.vermeulen@siphos.be>
References: <1344711594-11687-1-git-send-email-sven.vermeulen@siphos.be>
	<1344711594-11687-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1344765285.20817.3.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2012-08-11 at 20:59 +0200, Sven Vermeulen wrote:

> diff --git a/postfix.if b/postfix.if
> index 46bee12..9f7355b 100644
> --- a/postfix.if
> +++ b/postfix.if
> @@ -57,6 +57,7 @@ template(`postfix_domain_template',`
>  	allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
>  
>  	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
> +	allow postfix_$1_t postfix_var_run_t:dir rw_dir_perms;
>  	files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
>  

i would change "allow postfix_$1_t postfix_var_run_t:file
manage_file_perms;" to "manage_files_pattern(postfix_$1_t,
postfix_var_run_t, postfix_var_run_t)" rather than adding "allow
postfix_$1_t postfix_var_run_t:dir rw_dir_perms;".

This is what that pattern is for.

define(`manage_files_pattern',`
	allow $1 $2:dir rw_dir_perms;
	allow $1 $3:file manage_file_perms;
')

>  	kernel_read_system_state(postfix_$1_t)