From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 12 Apr 2013 07:51:48 +0200 Subject: [refpolicy] [PATCH 09/13] Postfix creates defer(red) queue locations In-Reply-To: <201304121339.15850.russell@coker.com.au> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> <1365669283-22005-10-git-send-email-sven.vermeulen@siphos.be> <201304121339.15850.russell@coker.com.au> Message-ID: <20130412055119.GA19112@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Apr 12, 2013 at 01:39:15PM +1000, Russell Coker wrote: > On Thu, 11 Apr 2013, Sven Vermeulen wrote: > > At startup, the Postfix daemon will check if the defer and deferred queues > > are available. If not, it will create them. Introduce the proper file > > transitions to support this. > > If you are going to assign a new type for the defer/deferred directories then > is the maildrop name the correct one? Those directories aren't for mail > storage and the file contents are different to that which is used by programs > such as maildrop. > > It's always been postfix_spool_t for those directories, why do we need to > change this? Because they're not postfix_spool_t according to the file context def? #v+ /var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) #v- What the patch does is streamline this so that we don't need restorecond or a relabel operation. Also, the deferred queue only has the directory labeled as such - mails that are moved between queues retain their label (postfix_spool_t). Wkr, Sven Vermeulen