From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 28 May 2014 21:23:16 +0200
Subject: [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in
 nature (and definitely not qmail_etc_t)
In-Reply-To: <5386221B.4090903@redhat.com>
References: <1401297103-17418-1-git-send-email-sven.vermeulen@siphos.be>
	<5386221B.4090903@redhat.com>
Message-ID: <20140528192315.GA22636@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, May 28, 2014 at 01:51:23PM -0400, Daniel J Walsh wrote:
> The problem with this change, is it would break a confined admin.  If a
> confined admin tried to create new content in /var/qmail he would be denied.

> > -/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
> > +/var/qmail/.+	gen_context(system_u:object_r:qmail_etc_t,s0)

In that case it would make more sense to follow the best practice that is
used by most daemons, that is to label /var/qmail as a qmail-specific
variable type (like qmail_var_t) and have specific files under it as the
configuration type (qmail_etc_t) as needed.

It sucks a bit that qmail has this change structure. It is the original (?)
qmail.fc author that contacted me about this, as the (then NSA-provided)
qmail.fc didn't mark /var/qmail as qmail_etc_t.

Wkr,
	Sven Vermeulen