49275 2004-04-28 06:25 0000 qmail policy update 2004-10-21 04:38:31 0000 1 1 1 Unclassified Gentoo Linux Hardened 2004.1 All All RESOLVED FIXED P2 normal --- 1 kaiowas@gentoo.org kaiowas@gentoo.org kaiowas@gentoo.org 2004-04-28 06:25:21 0000 this update includes serialmail support, support for qmail-1.0.3-r13 (tested only on 1 lucky non-production server) and alias file contexts. as I have said before, it is _extremely_ important to label everything inside ~alias (/var/qmail/alias) with a $user_home_t type. $user can be user, staff or sysadm depending on everyone's taste. without labeling ~alias, this entire policy is useless. mails that have to be received by users that have aliases will never arrive. mails to root cannot be sent to a local user/mail address, postmaster mails will never be delivered, ezmlm will never function correctly, etc. ~alias looks like: # cat /etc/passwd |grep alias alias:x:200:200::/var/qmail/alias:/bin/false # id alias uid=200(alias) gid=200(nofiles) groups=200(nofiles) i really see no problem in labeling it with staff_t for example. i have tried to declare user alias roles { staff_r }; to no avail. the 'alias' word seems to be 'misinterpreted' by m4. can we please make something about this? I had no luck with Russell :( BTW, please leave /var/qmail/alias(/.*)? system_u:object_r:staff_home_t or whatever without '--', because we have both files and directories there. once I will be able to compile any qmail >qmail-1.03-r11 I will also add functionality for .qmail files and I will do much more thorough tests. it looks like qmail is a very unhappy package in gentoo. most of the time it doesn't even compile (and I talk about the stable version here) because of bad patch management. those patches are being changed upstream and it's only a small step from md5sum errors to compile problems. IMHO all those patches should reside in portage itself and they should be version/release oriented. kaiowas@gentoo.org 2004-04-28 06:25:58 0000 Created an attachment (id=30232) file contexts kaiowas@gentoo.org 2004-04-28 06:26:28 0000 Created an attachment (id=30233) type enforcement kaiowas@gentoo.org 2004-10-21 04:38:31 0000 in CVS 30232 2004-04-28 06:25 0000 file contexts qmail.fc.diff text/plain LS0tIHFtYWlsLmZjLm9sZAkyMDA0LTA0LTI4IDE1OjQ4OjIxLjAwMDAwMDAwMCArMDMwMAorKysg cW1haWwuZmMJMjAwNC0wNC0yOCAxNTo0NzoyMi4wMDAwMDAwMDAgKzAzMDAKQEAgLTM4LDYgKzM4 LDE1IEBACiAvdmFyL3FtYWlsL2Jpbi9zcGxvZ2dlciAtLQlzeXN0ZW1fdTpvYmplY3RfcjpxbWFp bF9zcGxvZ2dlcl9leGVjX3QKIC92YXIvcW1haWwvYmluL3FtYWlsLWdldHB3IC0tCXN5c3RlbV91 Om9iamVjdF9yOnFtYWlsX2V4ZWNfdAogCisvdXNyL2Jpbi9zZXJpYWxxbXRwICAgIC0tIHN5c3Rl bV91Om9iamVjdF9yOnFtYWlsX3NlcmlhbG1haWxfZXhlY190CisvdXNyL2Jpbi9zZXJpYWxzbXRw ICAgIC0tIHN5c3RlbV91Om9iamVjdF9yOnFtYWlsX3NlcmlhbG1haWxfZXhlY190CisvdXNyL2Jp bi9tYWlsZGlycW10cCAgIC0tIHN5c3RlbV91Om9iamVjdF9yOnFtYWlsX3NlcmlhbG1haWxfZXhl Y190CisvdXNyL2Jpbi9tYWlsZGlyc210cCAgIC0tIHN5c3RlbV91Om9iamVjdF9yOnFtYWlsX3Nl cmlhbG1haWxfZXhlY190CisvdXNyL2Jpbi9tYWlsZGlyc2VyaWFsIC0tIHN5c3RlbV91Om9iamVj dF9yOnFtYWlsX3NlcmlhbG1haWxfZXhlY190CisKICMgR2VudG9vCiAvdmFyL3FtYWlsL2Jpbi9z ZW5kbWFpbAktLQlzeXN0ZW1fdTpvYmplY3RfcjpzZW5kbWFpbF9leGVjX3QKKy92YXIvcW1haWwv YWxpYXMoLy4qKT8gICAgICAgICAgc3lzdGVtX3U6b2JqZWN0X3I6c3RhZmZfaG9tZV90CisKKwor Cg== 30233 2004-04-28 06:26 0000 type enforcement qmail.te.diff text/plain LS0tIHFtYWlsLnRlLm9sZAkyMDA0LTA0LTI4IDE1OjQ4OjIxLjAwMDAwMDAwMCArMDMwMAorKysg cW1haWwudGUJMjAwNC0wNC0yOCAxNTo0NzoyMi4wMDAwMDAwMDAgKzAzMDAKQEAgLTE5MSw3ICsx OTEsMzEgQEAKIGFsbG93IHFtYWlsX3NlcmlhbG1haWxfdCBjcm9uZF90OmZpZm9fZmlsZSB7IHJl YWQgd3JpdGUgaW9jdGwgfTsKIGFsbG93IHFtYWlsX3NlcmlhbG1haWxfdCBkZXZ0dHlfdDpjaHJf ZmlsZSB7IHJlYWQgd3JpdGUgfTsKIAorYWxsb3cgcW1haWxfc2VyaWFsbWFpbF90IHNlbGY6Y2Fw YWJpbGl0eSB7IGRhY19vdmVycmlkZSB9OworYWxsb3cgcW1haWxfc2VyaWFsbWFpbF90IGV0Y190 OmZpbGUgeyBnZXRhdHRyIHJlYWQgfTsKK2FsbG93IHFtYWlsX3NlcmlhbG1haWxfdCBzaGVsbF9l eGVjX3Q6ZmlsZSB7IHJ4X2ZpbGVfcGVybXMgfTsKKworaWZkZWYoYHBwcGQudGUnLCBgCitkb21h aW5fYXV0b190cmFucyhwcHBkX3QsIHFtYWlsX3NlcmlhbG1haWxfZXhlY190LCBxbWFpbF9zZXJp YWxtYWlsX3QpCithbGxvdyBxbWFpbF9zZXJpYWxtYWlsX3QgcHBwX2RldmljZV90OmNocl9maWxl IHsgcmVhZCB3cml0ZSB9OworYWxsb3cgcW1haWxfc2VyaWFsbWFpbF90IHBwcGRfdmFyX3J1bl90 OmZpbGUgeyByZWFkIHdyaXRlIH07CisnKQorCiAjIGZvciB0Y3BjbGllbnQKIGNhbl9leGVjKHFt YWlsX3NlcmlhbG1haWxfdCwgYmluX3QpCiBhbGxvdyBxbWFpbF9zZXJpYWxtYWlsX3QgYmluX3Q6 ZGlyIHNlYXJjaDsKIAorIyBmcm9tIC1yMTMgZ2VudG9vIHBhdGNoZXMKK3JlYWRfbG9jYWxlKHFt YWlsX3F1ZXVlX3QpCityZWFkX2xvY2FsZShxbWFpbF9zbXRwZF90KQorCisjIC92YXIvcW1haWwv YmluL3FtYWlsLWdldHB3IGFjY2Vzc2VzIC92YXIvc3Bvb2wvbWFpbAorYWxsb3cgcW1haWxfbHNw YXduX3QgbWFpbF9zcG9vbF90OmRpciB7IGdldGF0dHIgfTsKKworYWxsb3cgcW1haWxfbG9jYWxf dCBxbWFpbF9zcG9vbF90OmZpbGUgcl9maWxlX3Blcm1zOworCisjIGtlcm5lbCBidWc/IENocmlz LCB3ZSd2ZSBkaXNjdXNzZWQgYWJvdXQgdGhpcyBhIGZldyBtb250aHMgYmVmb3JlCisjIHN5c19h ZG1pbiBidWcgc3RpbGwgcHJlc2VudCBpbiBoYXJkZW5lZC1zb3VyY2VzLTIuNC4yNC1yMworYWxs b3cgcW1haWxfaW5qZWN0X3QgcW1haWxfaW5qZWN0X3Q6Y2FwYWJpbGl0eSB7IHN5c19hZG1pbiB9 OworCisK