From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 17 Nov 2012 21:58:53 +0100
Subject: [refpolicy] [PATCH v1 7/9] Reintroduce postfix_var_run_t for pid
	directory and fowner capability
In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be>
References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1353185935-17421-8-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In August 21, a few changes were made to the postfix module that were reverted
somewhere in the last few months. Reintroducing these changes:

- Add in the fowner capability for the master domain, needed for running
  chown on the queue's.
- Mark the pid directory as a pid directory

See http://oss.tresys.com/pipermail/refpolicy/2012-August/005475.html for more
information.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 postfix.fc |    2 +-
 postfix.te |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/postfix.fc b/postfix.fc
index 5b315be..be8e880 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -50,7 +50,7 @@
 /var/spool/postfix/deferred(/.*)?	gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
 /var/spool/postfix/defer(/.*)?	gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
 /var/spool/postfix/maildrop(/.*)?	gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/pid(/.*)?	gen_context(system_u:object_r:postfix_var_run_t,s0)
 /var/spool/postfix/private(/.*)?	gen_context(system_u:object_r:postfix_private_t,s0)
 /var/spool/postfix/public(/.*)?	gen_context(system_u:object_r:postfix_public_t,s0)
 /var/spool/postfix/bounce(/.*)?	gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/postfix.te b/postfix.te
index c0e6ace..aed8d8e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -123,7 +123,7 @@ allow postfix_domain postfix_master_t:process sigchld;
 
 allow postfix_domain postfix_spool_t:dir list_dir_perms;
 
-allow postfix_domain postfix_var_run_t:file manage_file_perms;
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
 files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
 
 kernel_read_system_state(postfix_domain)
@@ -194,7 +194,7 @@ domain_use_interactive_fds(postfix_user_domains)
 # Master local policy
 #
 
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid net_bind_service sys_tty_config };
 allow postfix_master_t self:capability2 block_suspend;
 allow postfix_master_t self:process setrlimit;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
-- 
1.7.8.6