On Mon, Apr 05, 2010 at 08:22:14AM -0400, Daniel J Walsh wrote:
On 04/05/2010 04:47 AM, Dominick Grift wrote:
>type procmail_home_t;
>userdom_user_home_content(procmail_home_t)
>
>optional_policy(`
>gen_require(`
> type procmail_t;
>')
>
>manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
>manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
>userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
>userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
>userdom_search_user_home_dirs(procmail_t)
>userdom_search_admin_dir(procmail_t)
>')
>
>myprocmail.fc:
>
>HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
>/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
>
>make -f /usr/share/selinux/devel/Makefile myprocmail.pp
>sudo semodule -i myprocmail.pp
>sudo restorecon -v/root/.procmailrc
>
I will add this, but there is a comment in the current policy
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
userdom_manage_user_home_content_symlinks(procmail_t)
userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir
file lnk_file fifo_file sock_file })
Should we add a file context for maildir and add the symlinks,
pipes,sockets for procmail_home_t?
I later noticed that comment as well and this probably complicates matters as procmail
is likely not the only service that needs access to maildir. Also i believe there are
different methods of
storing e-mail. One of which is maildir another mbox i believe. There are probably more.
So i think we should figure out the locations and formats for storing e-mail and i think
we should use a generic type for mail content in the user dirs.
I wonder what the reason is that this has not been implemented yet (who made the comment
in refpolicy and why?)