[refpolicy] services_amavis.patch

Christopher J. PeBenito cpebenito at tresys.com
Mon Oct 6 13:20:16 CDT 2008


On Fri, 2008-09-26 at 07:03 +1000, Russell Coker wrote:
> On Friday 26 September 2008 06:10, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > I tend to think this is is a good idea to look at some domains and start
> > to combine them to simplify policy.   The pendulum has swung to far
> > towards least privs and needs to start coming back the other way.  Email
> > handling/spam filtering/virus checking is the worst example of this.
> 
> I don't agree with the blanket statement that the pendulum has swung too far 
> towards least privs.
> 
> However I think that there are some specific examples which seemed to involve 
> too many domains at the time they were created and which never demonstrated a 
> need for them.
> 
> One example is the Postfix and Qmail policy which I wrote knowing that there 
> were not security benefits in using so many domains.  My plan for many years 
> has been to review both of them and determine which domains could be merged.  
> When I had time to work on this there were no tools to allow such analysis.  
> I'll have to get back to this.

One thing specific example that I noticed recently about these was that
there is a mail_spool_t in mta, and postfix and qmail also have their
own spool types.  Those sounded like they could possibly all merge into
mail_spool_t, but I haven't had a chance to investigate further.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list