From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 20 Nov 2012 19:54:39 +0100 Subject: [refpolicy] [PATCH v1 8/9] Postfix deferred queue should not mark mails as postfix_spool_maildrop_t In-Reply-To: <1353185935-17421-9-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> <1353185935-17421-9-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353437679.12612.2.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-11-17 at 21:58 +0100, Sven Vermeulen wrote: > Postfix /moves/ the mail files between the queues as they are processed. Mails > that cannot be delivered currently are pushed towards the deferred queue. > However, when this occurs, the mail file retains its context (as it is moved, > not copied) for postfix_spool_t. > > If we would relabel the system or directory at that point, the mail gets labeled > postfix_spool_maildrop_t. When a new attempt is made to deliver, the postfix > daemons, like local, are not able to read (and process) the mail anymore since > they do not hold read rights on the postfix_spool_maildrop_t type. > > Only mark the deferred directory as postfix_spool_maildrop_t solves this. > > Signed-off-by: Sven Vermeulen > --- > postfix.fc | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/postfix.fc b/postfix.fc > index be8e880..c0e8785 100644 > --- a/postfix.fc > +++ b/postfix.fc > @@ -47,7 +47,7 @@ > /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) > > /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) > -/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) > +/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) > /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) > /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) > /var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) "Only mark the deferred directory as postfix_spool_maildrop_t solves this." The file context spec does not apply to just the deferred dir but also applies to all dirs below, just so that you are aware of that