From: petre.rodan@simplex.ro (Petre Rodan) Date: Thu, 29 May 2014 06:15:13 +0300 Subject: [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t) In-Reply-To: <5386221B.4090903@redhat.com> References: <1401297103-17418-1-git-send-email-sven.vermeulen@siphos.be> <5386221B.4090903@redhat.com> Message-ID: <20140529031513.GA2898@peter.simplex.ro> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, I wrote that policy a few years back. On Wed, May 28, 2014 at 01:51:23PM -0400, Daniel J Walsh wrote: > The problem with this change, is it would break a confined admin. If a > confined admin tried to create new content in /var/qmail he would be denied. > On 05/28/2014 01:11 PM, Sven Vermeulen wrote: what new content are you refering to? as far as a standard qmail install goes, the only thing that is customizable once qmail is installed are files inside /var/qmail/alias/ (qmail_alias_home_t) and the configurations inside /var/qmail/control/ (qmail_etc_t). if /var/qmail ends up being anything else than var_t then all software that uses /var/qmail/bin/sendmail needs to have rights to reach that binary. probably via mta_sendmail_* if tweaks. on a different note also /var/qmail/queue(/.*)? is currently mislabeled and should be system_u:object_r:qmail_spool_t. cheers, peter > > The original qmail module explicitly marked /var/qmail directory as > > var_t as this location is nothing more than a generic root location. The > > actual qmail specifics are subdirectories in this location. > > > > Most domains that use qmail components do not expect this location to be > > qmail_etc_t. > > > > Changes since v2 > > - Use .+ instead of (.*)? expression as suggested on #selinux > > > > Signed-off-by: Sven Vermeulen > > --- > > qmail.fc | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/qmail.fc b/qmail.fc > > index e53fe5a..d78c77d 100644 > > --- a/qmail.fc > > +++ b/qmail.fc > > @@ -32,6 +32,6 @@ > > /var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) > > /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) > > > > -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) > > +/var/qmail/.+ gen_context(system_u:object_r:qmail_etc_t,s0) > > > > /var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- petre rodan Technical Manager Simplex SRL, Bucharest -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140529/17a3069c/attachment.bin