[refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)
@ 2014-05-28 17:11 Sven Vermeulen
  2014-05-28 17:51 ` Daniel J Walsh
  2014-06-02 15:17 ` Christopher J. PeBenito
  0 siblings, 2 replies; 5+ messages in thread
From: Sven Vermeulen @ 2014-05-28 17:11 UTC (permalink / raw)
  To: refpolicy

The original qmail module explicitly marked /var/qmail directory as
var_t as this location is nothing more than a generic root location. The
actual qmail specifics are subdirectories in this location.

Most domains that use qmail components do not expect this location to be
qmail_etc_t.

Changes since v2
- Use .+ instead of (.*)? expression as suggested on #selinux

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 qmail.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qmail.fc b/qmail.fc
index e53fe5a..d78c77d 100644
--- a/qmail.fc
+++ b/qmail.fc
@@ -32,6 +32,6 @@
 /var/qmail/bin/splogger	--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
 /var/qmail/bin/tcp-env	--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
 
-/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
+/var/qmail/.+	gen_context(system_u:object_r:qmail_etc_t,s0)
 
 /var/spool/qmail(/.*)?	gen_context(system_u:object_r:qmail_spool_t,s0)
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)
  2014-05-28 17:11 [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t) Sven Vermeulen
@ 2014-05-28 17:51 ` Daniel J Walsh
  2014-05-28 19:23   ` Sven Vermeulen
  2014-05-29  3:15   ` Petre Rodan
  2014-06-02 15:17 ` Christopher J. PeBenito
  1 sibling, 2 replies; 5+ messages in thread
From: Daniel J Walsh @ 2014-05-28 17:51 UTC (permalink / raw)
  To: refpolicy

The problem with this change, is it would break a confined admin.  If a
confined admin tried to create new content in /var/qmail he would be denied.
On 05/28/2014 01:11 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
>
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.
>
> Changes since v2
> - Use .+ instead of (.*)? expression as suggested on #selinux
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  qmail.fc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/qmail.fc b/qmail.fc
> index e53fe5a..d78c77d 100644
> --- a/qmail.fc
> +++ b/qmail.fc
> @@ -32,6 +32,6 @@
>  /var/qmail/bin/splogger	--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
>  /var/qmail/bin/tcp-env	--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
>  
> -/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
> +/var/qmail/.+	gen_context(system_u:object_r:qmail_etc_t,s0)
>  
>  /var/spool/qmail(/.*)?	gen_context(system_u:object_r:qmail_spool_t,s0)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)
  2014-05-28 17:51 ` Daniel J Walsh
@ 2014-05-28 19:23   ` Sven Vermeulen
  2014-05-29  3:15   ` Petre Rodan
  1 sibling, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2014-05-28 19:23 UTC (permalink / raw)
  To: refpolicy

On Wed, May 28, 2014 at 01:51:23PM -0400, Daniel J Walsh wrote:
> The problem with this change, is it would break a confined admin.  If a
> confined admin tried to create new content in /var/qmail he would be denied.

> > -/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
> > +/var/qmail/.+	gen_context(system_u:object_r:qmail_etc_t,s0)

In that case it would make more sense to follow the best practice that is
used by most daemons, that is to label /var/qmail as a qmail-specific
variable type (like qmail_var_t) and have specific files under it as the
configuration type (qmail_etc_t) as needed.

It sucks a bit that qmail has this change structure. It is the original (?)
qmail.fc author that contacted me about this, as the (then NSA-provided)
qmail.fc didn't mark /var/qmail as qmail_etc_t.

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)
  2014-05-28 17:51 ` Daniel J Walsh
  2014-05-28 19:23   ` Sven Vermeulen
@ 2014-05-29  3:15   ` Petre Rodan
  1 sibling, 0 replies; 5+ messages in thread
From: Petre Rodan @ 2014-05-29  3:15 UTC (permalink / raw)
  To: refpolicy


Hi,

I wrote that policy a few years back.

On Wed, May 28, 2014 at 01:51:23PM -0400, Daniel J Walsh wrote:
> The problem with this change, is it would break a confined admin.  If a
> confined admin tried to create new content in /var/qmail he would be denied.
> On 05/28/2014 01:11 PM, Sven Vermeulen wrote:

what new content are you refering to?

as far as a standard qmail install goes, the only thing that is customizable once qmail is installed are files inside /var/qmail/alias/ (qmail_alias_home_t) and the configurations inside /var/qmail/control/ (qmail_etc_t).

if /var/qmail ends up being anything else than var_t then all software that uses /var/qmail/bin/sendmail needs to have rights to reach that binary. probably via mta_sendmail_* if tweaks.

on a different note also /var/qmail/queue(/.*)? is currently mislabeled and should be system_u:object_r:qmail_spool_t.

cheers,
peter



> > The original qmail module explicitly marked /var/qmail directory as
> > var_t as this location is nothing more than a generic root location. The
> > actual qmail specifics are subdirectories in this location.
> >
> > Most domains that use qmail components do not expect this location to be
> > qmail_etc_t.
> >
> > Changes since v2
> > - Use .+ instead of (.*)? expression as suggested on #selinux
> >
> > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> > ---
> >  qmail.fc | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/qmail.fc b/qmail.fc
> > index e53fe5a..d78c77d 100644
> > --- a/qmail.fc
> > +++ b/qmail.fc
> > @@ -32,6 +32,6 @@
> >  /var/qmail/bin/splogger	--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
> >  /var/qmail/bin/tcp-env	--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
> >  
> > -/var/qmail(/.*)?	gen_context(system_u:object_r:qmail_etc_t,s0)
> > +/var/qmail/.+	gen_context(system_u:object_r:qmail_etc_t,s0)
> >  
> >  /var/spool/qmail(/.*)?	gen_context(system_u:object_r:qmail_spool_t,s0)
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
petre rodan
<petre.rodan@simplex.ro>
Technical Manager
Simplex SRL, Bucharest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140529/17a3069c/attachment.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t)
  2014-05-28 17:11 [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t) Sven Vermeulen
  2014-05-28 17:51 ` Daniel J Walsh
@ 2014-06-02 15:17 ` Christopher J. PeBenito
  1 sibling, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2014-06-02 15:17 UTC (permalink / raw)
  To: refpolicy

On 05/28/2014 01:11 PM, Sven Vermeulen wrote:
> The original qmail module explicitly marked /var/qmail directory as
> var_t as this location is nothing more than a generic root location. The
> actual qmail specifics are subdirectories in this location.
> 
> Most domains that use qmail components do not expect this location to be
> qmail_etc_t.

I'm holding off on making any decisions regarding this change, pending resolution to Dan and Petre's questions/concerns.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-06-02 15:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-28 17:11 [refpolicy] [PATCH v3 1/1] The /var/qmail root is generic in nature (and definitely not qmail_etc_t) Sven Vermeulen
2014-05-28 17:51 ` Daniel J Walsh
2014-05-28 19:23   ` Sven Vermeulen
2014-05-29  3:15   ` Petre Rodan
2014-06-02 15:17 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.