On 03/30/2010 10:06 AM, Paul Howarth wrote:
On 30/03/10 14:41, Daniel J Walsh wrote:
> On 03/30/2010 09:23 AM, Paul Howarth wrote:
>> dovecot 2.0 renames some files from 1.x and needs some additional
>> policy:
>>
>> File contexts:
>>
>> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>>
>> /usr/libexec/dovecot/auth --
>> gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
>>
>> /usr/libexec/dovecot/dovecot-lda --
>> gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
>>
>> Rules:
>>
>> type dovecot_tmp_t;
>> files_tmp_file(dovecot_tmp_t)
>> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
>> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
>> allow dovecot_t self:capability kill;
>> allow dovecot_t dovecot_auth_t:process signal;
>>
>> With those additions, I've got dovecot 2.0 running in my simple
>> PAM-based environment, leaving just the following AVC:
>>
>> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
>> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6
ino=11454
>> scontext=unconfined_u:system_r:dovecot_t:s0
>> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
>> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
>> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
>> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot"
exe="/usr/sbin/dovecot"
>> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>>
>> I haven't figured out where that's coming from yet but it looks far too
>> suspicious to allow, and doesn't seem to break anything when it's not
>> allowed.
>>
>> Paul.
>>
> Also is this coming to F12 or just F13?
Only Rawhide (F14) at the moment. I doubt that it will appear in F13
as it's not there yet (I'm not the maintainer btw) and the
configuration has changed from /etc/dovecot.conf to
/etc/dovecot/dovecot.conf + /etc/dovecot/conf.d/*.conf and some of the
directives have changed too.
Paul.
THis might be a resend, since thunderbird crashed. But thanks for the
heads-up. Added to F13 policy.