549566 – sec-policy/selinux-postfix - postmap policy to allow user interaction

Bug 549566 - sec-policy/selinux-postfix - postmap policy to allow user interaction

Summary: sec-policy/selinux-postfix - postmap policy to allow user interaction

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r6
Keywords:

Depends on:
Blocks:

Reported:	2015-05-15 13:35 UTC by Sven Vermeulen (RETIRED)
Modified:	2015-07-03 15:56 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2015-05-15 13:35:03 UTC

The postmap application is used by postfix admins to regenerate databases, like so:

~# postmap hash:/etc/postfix/hold

However, in the current policy, output of the postmap command (postfix_map_t) is not allowed to be send to user terminals. It requires the following additions:

+       domain_use_interactive_fds(postfix_map_t)
+       userdom_use_user_terminals(postfix_map_t)

Next to this, the postmap application needs library access to /usr/lib64/postfix/3.0.0/libpostfix-*. By default, those are labeled as postfix_exec_t. This is plain wrong, libraries should be of a library type.

Removing the /usr/lib/postfix/.* catchall fixes this.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2015-05-15 13:48:40 UTC

Fixed in repo, will be in rev 6

Comment 2 Jason Zaman gentoo-dev

2015-06-05 16:32:32 UTC

r6 policy is in ~arch

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2015-07-03 15:56:39 UTC

Now stable