Hi,
this is a rather special use case, but I think it is valid. According to
Pauls hints at
http://marilyn.frields.org:8080/~paul/wordpress/?p=2616
I configured postfix to relay my local mail via some mail servers. But
since I like a clean approach I did not want the sasl_password files
in /etc/ so that the admin (me) has to handle plain text passwords
there.
Postfix seems to support multiple db files at arbitrary positions. But
SELinux does not. I guess the transition to postfix_smtp_t is a little
too early (before chroot). So I changed the context of my sasl_passwd
files to postfix_smtp_t, just to notice that:
1. I (as a user) cannot do this
2. After I did it nevertheless I cannot edit those files
So here is my proposal:
Introduce postfix_userconfig_t and let postfix_smtp_t read it, and allow
transitions and read/write access from unconfined_t to it. I know that
this is suboptimal because it effectively becomes unconfinded_t, but
since the admin _must_ add those files to /etc/postfix/main.cf (and
should allow only harmless files) I guess that this is ok.
any objections or shall I try to write a patch for the policy?