dovecot 2.0
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 30 13:40:51 UTC 2010
On 03/30/2010 09:23 AM, Paul Howarth wrote:
> dovecot 2.0 renames some files from 1.x and needs some additional policy:
>
> File contexts:
>
> /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
>
> /usr/libexec/dovecot/auth --
> gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
>
> /usr/libexec/dovecot/dovecot-lda --
> gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
>
> Rules:
>
> type dovecot_tmp_t;
> files_tmp_file(dovecot_tmp_t)
> manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
> files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
> allow dovecot_t self:capability kill;
> allow dovecot_t dovecot_auth_t:process signal;
>
> With those additions, I've got dovecot 2.0 running in my simple
> PAM-based environment, leaving just the following AVC:
>
> type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
> pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
> scontext=unconfined_u:system_r:dovecot_t:s0
> tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
> success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
> ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
> subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
>
> I haven't figured out where that's coming from yet but it looks far too
> suspicious to allow, and doesn't seem to break anything when it's not
> allowed.
>
> Paul.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
Thanks, see if dovecot_t is doing an access check on the file? We can
probably dontaudit it.
More information about the selinux
mailing list