dovecot 2.0 renames some files from 1.x and needs some additional policy:
File contexts:
/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
/usr/libexec/dovecot/auth --
gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/dovecot-lda --
gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
Rules:
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
allow dovecot_t self:capability kill;
allow dovecot_t dovecot_auth_t:process signal;
With those additions, I've got dovecot 2.0 running in my simple
PAM-based environment, leaving just the following AVC:
type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
scontext=unconfined_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
I haven't figured out where that's coming from yet but it looks far too
suspicious to allow, and doesn't seem to break anything when it's not
allowed.
Paul.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
