dovecot 2.0

Paul Howarth paul at
Tue Mar 30 13:23:19 UTC 2010

dovecot 2.0 renames some files from 1.x and needs some additional policy:

File contexts:

/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)

/usr/libexec/dovecot/auth -- 

/usr/libexec/dovecot/dovecot-lda -- 


type dovecot_tmp_t;
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
allow dovecot_t self:capability kill;
allow dovecot_t dovecot_auth_t:process signal;

With those additions, I've got dovecot 2.0 running in my simple 
PAM-based environment, leaving just the following AVC:

type=AVC msg=audit(1269955050.887:91063): avc:  denied  { write } for 
pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454 
tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42 
success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0 
ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot" 
subj=unconfined_u:system_r:dovecot_t:s0 key=(null)

I haven't figured out where that's coming from yet but it looks far too 
suspicious to allow, and doesn't seem to break anything when it's not 


More information about the selinux mailing list