dovecot 2.0
Paul Howarth
paul at city-fan.org
Tue Mar 30 13:23:19 UTC 2010
dovecot 2.0 renames some files from 1.x and needs some additional policy:
File contexts:
/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
/usr/libexec/dovecot/auth --
gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/dovecot-lda --
gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
Rules:
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
allow dovecot_t self:capability kill;
allow dovecot_t dovecot_auth_t:process signal;
With those additions, I've got dovecot 2.0 running in my simple
PAM-based environment, leaving just the following AVC:
type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
scontext=unconfined_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
I haven't figured out where that's coming from yet but it looks far too
suspicious to allow, and doesn't seem to break anything when it's not
allowed.
Paul.
More information about the selinux
mailing list