On 30/03/10 14:41, Daniel J Walsh wrote:
On 03/30/2010 09:23 AM, Paul Howarth wrote:
> dovecot 2.0 renames some files from 1.x and needs some additional policy:
>
> File contexts:
>
> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>
> /usr/libexec/dovecot/auth --
> gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
>
> /usr/libexec/dovecot/dovecot-lda --
> gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
>
> Rules:
>
> type dovecot_tmp_t;
> files_tmp_file(dovecot_tmp_t)
> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
> allow dovecot_t self:capability kill;
> allow dovecot_t dovecot_auth_t:process signal;
>
> With those additions, I've got dovecot 2.0 running in my simple
> PAM-based environment, leaving just the following AVC:
>
> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
> scontext=unconfined_u:system_r:dovecot_t:s0
> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot"
exe="/usr/sbin/dovecot"
> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>
> I haven't figured out where that's coming from yet but it looks far too
> suspicious to allow, and doesn't seem to break anything when it's not
> allowed.
>
> Paul.
>
Also is this coming to F12 or just F13?
Only Rawhide (F14) at the moment. I doubt that it will appear in F13 as
it's not there yet (I'm not the maintainer btw) and the configuration
has changed from /etc/dovecot.conf to /etc/dovecot/dovecot.conf +
/etc/dovecot/conf.d/*.conf and some of the directives have changed too.
Paul.