From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sat, 23 Aug 2014 13:35:46 +0200
Subject: [refpolicy] [PATCH 2/7] Label /var/spool/postfix/dev/ files
In-Reply-To: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <1408793751-11289-3-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Debian, /var/spool/postfix/dev contains log, urandom and random in
the same types as the files in /dev.
---
 policy/modules/kernel/devices.fc | 4 ++++
 policy/modules/system/logging.fc | 1 +
 2 files changed, 5 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd4e570..2356cf0d4dc8 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -201,6 +201,10 @@ ifdef(`distro_debian',`
 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 /sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
 
+/var/spool/postfix/dev		-d	gen_context(system_u:object_r:device_t,s0)
+/var/spool/postfix/dev/random	-c	gen_context(system_u:object_r:random_device_t,s0)
+/var/spool/postfix/dev/urandom	-c	gen_context(system_u:object_r:urandom_device_t,s0)
+
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 428e43f117e5..374fb53ee0fd 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -72,6 +72,7 @@ ifdef(`distro_redhat',`
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 /var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/spool/postfix/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
-- 
2.0.4