From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 25 Aug 2014 11:04:38 -0400
Subject: [refpolicy] [PATCH 2/7] Label /var/spool/postfix/dev/ files
In-Reply-To: <1408793751-11289-3-git-send-email-nicolas.iooss@m4x.org>
References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
	<1408793751-11289-3-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53FB5086.1050808@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
> On Debian, /var/spool/postfix/dev contains log, urandom and random in
> the same types as the files in /dev.

It might make more sense for Debian to have a path substitution, rather
than duplicating file contexts.  I'm guessing this is Postfix chrooting
into /var/spool/postfix, so /var/spool/postfix/dev is the chroot's /dev?

> ---
>  policy/modules/kernel/devices.fc | 4 ++++
>  policy/modules/system/logging.fc | 1 +
>  2 files changed, 5 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index d6ebfcd4e570..2356cf0d4dc8 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -201,6 +201,10 @@ ifdef(`distro_debian',`
>  /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
>  /sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
>  
> +/var/spool/postfix/dev		-d	gen_context(system_u:object_r:device_t,s0)
> +/var/spool/postfix/dev/random	-c	gen_context(system_u:object_r:random_device_t,s0)
> +/var/spool/postfix/dev/urandom	-c	gen_context(system_u:object_r:urandom_device_t,s0)
> +
>  ifdef(`distro_redhat',`
>  # originally from named.fc
>  /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 428e43f117e5..374fb53ee0fd 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -72,6 +72,7 @@ ifdef(`distro_redhat',`
>  /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
>  /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
>  /var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
> +/var/spool/postfix/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
>  /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
>  
>  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com