From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Nov 2012 21:58:53 +0100 Subject: [refpolicy] [PATCH v1 7/9] Reintroduce postfix_var_run_t for pid directory and fowner capability In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353185935-17421-8-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In August 21, a few changes were made to the postfix module that were reverted somewhere in the last few months. Reintroducing these changes: - Add in the fowner capability for the master domain, needed for running chown on the queue's. - Mark the pid directory as a pid directory See http://oss.tresys.com/pipermail/refpolicy/2012-August/005475.html for more information. Signed-off-by: Sven Vermeulen --- postfix.fc | 2 +- postfix.te | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/postfix.fc b/postfix.fc index 5b315be..be8e880 100644 --- a/postfix.fc +++ b/postfix.fc @@ -50,7 +50,7 @@ /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) +/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) diff --git a/postfix.te b/postfix.te index c0e6ace..aed8d8e 100644 --- a/postfix.te +++ b/postfix.te @@ -123,7 +123,7 @@ allow postfix_domain postfix_master_t:process sigchld; allow postfix_domain postfix_spool_t:dir list_dir_perms; -allow postfix_domain postfix_var_run_t:file manage_file_perms; +manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) files_pid_filetrans(postfix_domain, postfix_var_run_t, file) kernel_read_system_state(postfix_domain) @@ -194,7 +194,7 @@ domain_use_interactive_fds(postfix_user_domains) # Master local policy # -allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid net_bind_service sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; -- 1.7.8.6