Bug#518552: spamass-milter: Directory /var/spool/postfix/spamass gets the wrong SE Linux label

Tue, 10 Mar 2009 15:09:00 -0700 

On Sat, 7 Mar 2009, Don Armstrong <d...@donarmstrong.com> wrote:
> On Sat, 07 Mar 2009, Russell Coker wrote:
> > The directory /var/spool/postfix/spamass gets the wrong label
> > because it is not created by dpkg (which correctly labels all files
> > and directories) and because the code which creates it does not call
> > restorecon.
>
> Does it need to call it on the actual file that's created or just the
> directory? [I'm not familiar enough with SE Linux.] (The patch below
> won't work in either case, anyway, but it's on the right path.)

You are correct, sorry I didn't test that patch properly before submitting the 
bug report.  I've attached a better one.

> Also, does it matter what the permissions are on the file/directory
> when I call restorecon?

No.  The restorecon program is run as root and has fairly unlimited access in 
the SE Linux policy.


--- /tmp/spamass-milter	2009-03-11 08:57:37.000000000 +1100
+++ ./spamass-milter	2009-03-07 12:09:15.000000000 +1100
@@ -92,18 +92,22 @@
 start() {
     # Because the default socket is in the same location as the
     # pidfile, we create them in this order.
-    if [ ! -d $(dirname $PIDFILE) ]; then
-	mkdir -p $(dirname $PIDFILE);
-	if [ -d $(dirname $PIDFILE) ] && [ -n "$RUNAS" ]; then
-	    chown "$RUNAS" $(dirname $PIDFILE);
-	fi;
-    fi;
-    if [ ! -d $(dirname $SOCKET) ]; then
-	mkdir -p $(dirname $SOCKET);
+    DIRNAME=$(dirname $PIDFILE)
+    if [ ! -d $DIRNAME ]; then
+	mkdir -p $DIRNAME
+	[ -x /sbin/restorecon ] && restorecon $DIRNAME
+	if [ -n "$RUNAS" ]; then
+	    chown "$RUNAS" $DIRNAME
+	fi
+    fi
+    DIRNAME=$(dirname $SOCKET)
+    if [ ! -d $DIRNAME ]; then
+	mkdir -p $DIRNAME
+	[ -x /sbin/restorecon ] && restorecon $DIRNAME
 	if [ -n "$SOCKETOWNER" ]; then
-	    chown "$RUNAS" $(dirname $SOCKET);
-	fi;
-    fi;
+	    chown "$RUNAS" $DIRNAME
+	fi
+    fi
     if [ -n "$RUNAS" ] && [ -d $(dirname $PIDFILE) ] && [ "$(stat -c '%U' $(dirname $PIDFILE))" != "$RUNAS" ]; then
 	echo "WARNING: $NAME will run as user $RUNAS but $(dirname $PIDFILE) is not owned by $RUNAS";
 	echo "Either delete this directory or chown it appropriately. Startup attempts may fail.";

Reply via email to