From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 13 Aug 2012 21:02:29 +0200 Subject: [refpolicy] [PATCH v2 1/6] Mark the pid directory as a pid directory In-Reply-To: <1344884554-25135-1-git-send-email-sven.vermeulen@siphos.be> References: <1344884554-25135-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1344884554-25135-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Currently, the policy has the pid directory itself marked as the postfix_spool_t type. However, when mails are delivered, several postfix daemons need to add/remove their PID files. It makes much more sense to mark this location as postfix_var_run_t rather than having file transitions for all these daemons when they write their PID file. Signed-off-by: Sven Vermeulen --- postfix.fc | 2 +- postfix.if | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix.fc b/postfix.fc index 1ddfa16..90bf84e 100644 --- a/postfix.fc +++ b/postfix.fc @@ -46,7 +46,7 @@ ifdef(`distro_redhat', ` /var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) +/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) diff --git a/postfix.if b/postfix.if index 46bee12..00e30cb 100644 --- a/postfix.if +++ b/postfix.if @@ -56,7 +56,7 @@ template(`postfix_domain_template',` allow postfix_$1_t postfix_spool_t:dir list_dir_perms; - allow postfix_$1_t postfix_var_run_t:file manage_file_perms; + manage_files_pattern(postfix_$1_t, postfix_var_run_t, postfix_var_run_t) files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file) kernel_read_system_state(postfix_$1_t) -- 1.7.8.6