Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
# /usr/sbin/sendmail is a symlink, so ... allow crond_t sendmail_exec_t:lnk_file { read }; # iptables-save also needs this: allow iptables_t proc_net_t:dir { search }; allow iptables_t proc_net_t:file { read getattr }; read_locale(iptables_t) # needed in order to upgrade a ssh daemon ;) ifdef(`daemontools.te', ` allow sshd_t self:capability { kill }; allow sshd_t self:process { signal }; ')
The 2nd and third blocks are committed, but not the first one. The convention is that symlinks to binaries should only be bin_t or sbin_t, and the target of the symlink should have the transition type, sendmail_exec_t in this case. Please adjust your qmail labeling.
ok. i'm removing the /usr/sbin/sendmail definition from qmail.fc. you are most welcome do the same in http://bugs.gentoo.org/attachment.cgi?id=21928&action=view ;) is there a public document that contains conventions like this? bye, peter
I dont know of any doc that has this or other conventions; there are few people that do much work on policy.
