From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 28 May 2014 13:51:23 -0400
Subject: [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in
 nature (and definitely not qmail_etc_t)
In-Reply-To: <1401297103-17418-1-git-send-email-sven.vermeulen@siphos.be>
References: <1401297103-17418-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <5386221B.4090903@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The problem with this change, is it would break a confined admin.  If a
confined admin tried to create new content in /var/qmail he would be denied.
On 05/28/2014 01:11 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
>
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.
>
> Changes since v2
> - Use .+ instead of (.*)? expression as suggested on #selinux
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  qmail.fc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/qmail.fc b/qmail.fc
> index e53fe5a..d78c77d 100644
> --- a/qmail.fc
> +++ b/qmail.fc
> @@ -32,6 +32,6 @@
>  /var/qmail/bin/splogger	--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
>  /var/qmail/bin/tcp-env	--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
>  
> -/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
> +/var/qmail/.+	gen_context(system_u:object_r:qmail_etc_t,s0)
>  
>  /var/spool/qmail(/.*)?	gen_context(system_u:object_r:qmail_spool_t,s0)