From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-495157-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 060B313800E
	for <garchives@archives.gentoo.org>; Sat, 11 Aug 2012 19:02:09 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0161DE05D5;
	Sat, 11 Aug 2012 19:01:26 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id B849CE0595
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Aug 2012 19:01:26 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id CD3B81B4030
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Aug 2012 19:01:25 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 84A5EE5446
	for <gentoo-commits@lists.gentoo.org>; Sat, 11 Aug 2012 19:01:23 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1344695756.fccf8e5d6faaff58b45df90b5da93a66a4da0014.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/postfix.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: fccf8e5d6faaff58b45df90b5da93a66a4da0014
X-VCS-Branch: master
Date: Sat, 11 Aug 2012 19:01:23 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 2c35fb1d-4af0-4070-9bb4-53f3e18b23ad
X-Archives-Hash: 4bc8795c0cf436c5cf64e2330145b820

commit:     fccf8e5d6faaff58b45df90b5da93a66a4da0014
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 10 19:14:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 11 14:35:56 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fccf8e5d

Add in transitions for queue types when the queues are created

At startup, postfix creates the missing queue directories inside
/var/spool/postfix. This is done by the master process. However, since the
/var/spool/postfix directory is labeled postfix_spool_t and there were no named
file transitions, all created queues became postfix_spool_t. This meant that an
administrator had to relabel the directories afterwards.

This patch adds in the necessary named file transitions for those directories,
with create and setattr (for changing ownership of the directories) for the
postfix master domain.

Also include the fowner capability, needed for when postfix chown's the queues.

---
 policy/modules/contrib/postfix.te |   17 ++++++++++++++++-
 1 files changed, 16 insertions(+), 1 deletions(-)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index a1e0f60..a1a7663 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -93,7 +93,7 @@ mta_mailserver_delivery(postfix_virtual_t)
 #
 
 # chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config fowner };
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
@@ -112,15 +112,19 @@ allow postfix_master_t postfix_postdrop_exec_t:file getattr;
 
 allow postfix_master_t postfix_postqueue_exec_t:file getattr;
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 
 domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 
 allow postfix_master_t postfix_prng_t:file rw_file_perms;
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
 manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 
 domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
 
@@ -128,6 +132,13 @@ domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
 manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
 manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
 files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+# Initial seed of postfix queues
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
+filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
 
 allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
 allow postfix_master_t postfix_spool_bounce_t:file getattr;
@@ -136,10 +147,14 @@ manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush
 manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
+create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
+setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
+
 kernel_read_all_sysctls(postfix_master_t)
 
 corenet_all_recvfrom_unlabeled(postfix_master_t)