From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 31 Dec 2014 17:04:44 +0100
Subject: [refpolicy] [PATCH 2/6] Locate authdaemon socket and
 communicate with authdaemon
In-Reply-To: <20141230204747.GB12724@bigboy.network2>
References: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be>
	<1419970899-19892-3-git-send-email-sven.vermeulen@siphos.be>
	<20141230204747.GB12724@bigboy.network2>
Message-ID: <20141231160444.GA4733@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Dec 30, 2014 at 09:47:57PM +0100, Dominick Grift wrote:
> > diff --git a/courier.te b/courier.te
> > index 112a60b..c4ab936 100644
> > --- a/courier.te
> > +++ b/courier.te
> > @@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
> >  
> >  allow courier_pop_t courier_var_lib_t:file { read write };
> >  
> > +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
> 
> Could you explain what a sock file with type courier_var_run_t is doing in a directory with type courier_var_lib_t?
> 
> I suspect that above should probably instead be "stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t courier_authdaemon_t)"
> If my assumption is wrong then please explain why

Good catch. Indeed, I had a stale courier_var_run_t laying around in an
attempt for reconfiguring the daemons to use /var/run/courier instead of
/var/lib/courier for the socket. But I failed miserably and I don't know why
- it continues to make the socket in /var/lib/courier.

I reset the contexts of /var/lib completely and can confirm that
courier_var_lib_t is what is needed. I'll update the patch to this.

Wkr,
  Sven Vermeulen