From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 27 May 2014 08:53:33 -0400
Subject: [refpolicy] [PATCH 1/1] The /var/qmail root is generic in
 nature (and definitely not qmail_etc_t)
In-Reply-To: <1400781342-12154-1-git-send-email-sven.vermeulen@siphos.be>
References: <1400781342-12154-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <53848ACD.7050208@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/22/2014 01:55 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
> 
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/files.fc | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index b876c48..c6c27c3 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -252,6 +252,8 @@ ifndef(`distro_redhat',`
>  /var/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>  /var/lost\+found/.*		<<none>>
>  
> +/var/qmail		-d	gen_context(system_u:object_r:var_t,s0)
> +
>  /var/run		-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
>  /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
>  /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
 
It sounds like the file context in the qmail module needs to be fixed to not include /var/qmail instead.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com