From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Nov 2012 21:58:54 +0100 Subject: [refpolicy] [PATCH v1 8/9] Postfix deferred queue should not mark mails as postfix_spool_maildrop_t In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353185935-17421-9-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Postfix /moves/ the mail files between the queues as they are processed. Mails that cannot be delivered currently are pushed towards the deferred queue. However, when this occurs, the mail file retains its context (as it is moved, not copied) for postfix_spool_t. If we would relabel the system or directory at that point, the mail gets labeled postfix_spool_maildrop_t. When a new attempt is made to deliver, the postfix daemons, like local, are not able to read (and process) the mail anymore since they do not hold read rights on the postfix_spool_maildrop_t type. Only mark the deferred directory as postfix_spool_maildrop_t solves this. Signed-off-by: Sven Vermeulen --- postfix.fc | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/postfix.fc b/postfix.fc index be8e880..c0e8785 100644 --- a/postfix.fc +++ b/postfix.fc @@ -47,7 +47,7 @@ /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) -/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) +/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) -- 1.7.8.6