From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 13 Aug 2012 21:02:32 +0200 Subject: [refpolicy] [PATCH v2 4/6] Allow maildelivery to use dotlock files in the mail spool In-Reply-To: <1344884554-25135-1-git-send-email-sven.vermeulen@siphos.be> References: <1344884554-25135-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1344884554-25135-5-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When a mail delivery server wants to append mails to the users' mail spool file, it might also use dotlock files in order to "lock" access to the mail spool file. This requires the domain file managing rights (create/write/remove) within the mta_spool_t resource. Note that this isn't needed if only fcntl locking is used, but most mail delivery services use dotlock locking as well. Also, since the lock files are named .lock we cannot create file transitions (towards a lock type) as we cannot mention the filenames up front. Signed-off-by: Sven Vermeulen --- mta.te | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/mta.te b/mta.te index 84a7d66..9b0ff1d 100644 --- a/mta.te +++ b/mta.te @@ -214,9 +214,7 @@ optional_policy(` # allow mailserver_delivery mail_spool_t:dir list_dir_perms; -create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +manage_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -- 1.7.8.6