[selinux-policy: 2370/3172] Dovecot patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:30:23 UTC 2010
commit 4dd84bbf0e969aeb8b635589b95c5b4a0b46346e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jan 7 11:50:47 2010 -0500
Dovecot patch from Dan Walsh.
policy/modules/services/dovecot.te | 23 +++++++++++++++++++----
1 files changed, 19 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index fb5df30..9f16e2e 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot, 1.11.0)
+policy_module(dovecot, 1.11.1)
########################################
#
@@ -41,7 +41,7 @@ files_type(dovecot_spool_t)
# /var/lib/dovecot holds SSL parameters file
type dovecot_var_lib_t;
-files_type(dovecot_var_lib_t)
+files_type(dovecot_var_lib_t)
type dovecot_var_log_t;
logging_log_file(dovecot_var_log_t)
@@ -56,7 +56,7 @@ files_pid_file(dovecot_var_run_t)
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms };
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -159,7 +159,7 @@ optional_policy(`
#
allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
-allow dovecot_auth_t self:process signal_perms;
+allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -208,6 +208,11 @@ seutil_dontaudit_search_config(dovecot_auth_t)
optional_policy(`
kerberos_use(dovecot_auth_t)
+
+ # for gssapi (kerberos)
+ userdom_list_user_tmp(dovecot_auth_t)
+ userdom_read_user_tmp_files(dovecot_auth_t)
+ userdom_read_user_tmp_symlinks(dovecot_auth_t)
')
optional_policy(`
@@ -257,6 +262,16 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(dovecot_t)
+ fs_manage_nfs_symlinks(dovecot_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(dovecot_t)
+ fs_manage_cifs_symlinks(dovecot_t)
+')
+
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
More information about the scm-commits
mailing list