Package: refpolicy
Version: 2:0.0.20080702-14
Severity: normal
Tags: patch
Hello,
/usr/lib/dovecot/deliver, the LDA of dovecot, requires access to
/etc/dovecot.conf. After applying the patch in #517709 deliver runs in
the domain of the MTA. As it is recommended to run postfix as MTA
together with SELinux, this will be the domain postfix_local_t.
After applying the patch in #517712 /etc/dovecot.conf is dovecot_etc_t.
Domain postfix_local_t has no access to type dovecot_etc_t. The attached
patch will fix it.
Thanks
Frank
diff -urN refpolicy-0.0.20080702/policy/modules/services/dovecot.te refpolicy-0.0.20080702.new/policy/modules/services/dovecot.te
--- refpolicy-0.0.20080702/policy/modules/services/dovecot.te 2009-03-01 17:31:47.000000000 +0100
+++ refpolicy-0.0.20080702.new/policy/modules/services/dovecot.te 2009-03-01 18:11:25.000000000 +0100
@@ -1,5 +1,5 @@
-policy_module(dovecot, 1.9.1)
+policy_module(dovecot, 1.9.2)
########################################
#
@@ -58,6 +58,18 @@
ifdef(`distro_debian', `
allow dovecot_t dovecot_etc_t:dir search_dir_perms;
')
+# deliver runs in the domain of the caller but needs read access
+# to config files. If deliver ist used by postfix it will run in
+# domain postfix_local_t
+optional_policy(`
+ require {
+ type postfix_local_t;
+ };
+ allow postfix_local_t dovecot_etc_t:file read_file_perms;
+ ifdef(`distro_debian', `
+ allow postfix_local_t dovecot_etc_t:dir search_dir_perms;
+ ')
+')
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
