Dovecot quota support

Paul Howarth <paul@xxxxxxxxxxxx> · Fri, 12 May 2006 13:05:53 +0100

Dovecot now has quota support and it uses getmntent() to find the 
mountpoints. However, it's not allowed to read /etc/mtab:

May 12 12:52:51 goalkeeper kernel: audit(1147434771.028:15131): avc: 
denied  { read } for  pid=15788 comm="dovecot" name="mtab" dev=dm-0 
ino=381458 scontext=user_u:system_r:dovecot_t:s0 
tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file
May 12 12:52:51 goalkeeper kernel: audit(1147434771.028:15132): avc: 
denied  { getattr } for  pid=15788 comm="dovecot" name="mtab" dev=dm-0 
ino=381458 scontext=user_u:system_r:dovecot_t:s0 
tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file

These getattr denials are for the three non-LVM partitions I have 
(/dev/shm being the tmpfs one). The 6 LVM volumes didn't generate these:
May 12 12:52:51 goalkeeper kernel: audit(1147434771.048:15133): avc: 
denied  { getattr } for  pid=15788 comm="dovecot" name="/" dev=hda2 
ino=2 scontext=user_u:system_r:dovecot_t:s0 
tcontext=system_u:object_r:file_t:s0 tclass=dir
May 12 12:52:51 goalkeeper kernel: audit(1147434771.048:15134): avc: 
denied  { getattr } for  pid=15788 comm="dovecot" name="/" dev=hda1 
ino=2 scontext=user_u:system_r:dovecot_t:s0 
tcontext=system_u:object_r:boot_t:s0 tclass=dir
May 12 12:52:51 goalkeeper kernel: audit(1147434771.048:15135): avc: 
denied  { getattr } for  pid=15788 comm="dovecot" name="/" dev=tmpfs 
ino=4523 scontext=user_u:system_r:dovecot_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

No big deal for me as I don't use quotas but someone will complain about 
it eventually...

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list