Package: refpolicy Version: 2:0.0.20080702-14 Severity: normal Tags: patch Hello,
/usr/lib/dovecot/deliver, the LDA of dovecot, requires access to /etc/dovecot.conf. After applying the patch in #517709 deliver runs in the domain of the MTA. As it is recommended to run postfix as MTA together with SELinux, this will be the domain postfix_local_t. After applying the patch in #517712 /etc/dovecot.conf is dovecot_etc_t. Domain postfix_local_t has no access to type dovecot_etc_t. The attached patch will fix it. Thanks Frank
diff -urN refpolicy-0.0.20080702/policy/modules/services/dovecot.te refpolicy-0.0.20080702.new/policy/modules/services/dovecot.te --- refpolicy-0.0.20080702/policy/modules/services/dovecot.te 2009-03-01 17:31:47.000000000 +0100 +++ refpolicy-0.0.20080702.new/policy/modules/services/dovecot.te 2009-03-01 18:11:25.000000000 +0100 @@ -1,5 +1,5 @@ -policy_module(dovecot, 1.9.1) +policy_module(dovecot, 1.9.2) ######################################## # @@ -58,6 +58,18 @@ ifdef(`distro_debian', ` allow dovecot_t dovecot_etc_t:dir search_dir_perms; ') +# deliver runs in the domain of the caller but needs read access +# to config files. If deliver ist used by postfix it will run in +# domain postfix_local_t +optional_policy(` + require { + type postfix_local_t; + }; + allow postfix_local_t dovecot_etc_t:file read_file_perms; + ifdef(`distro_debian', ` + allow postfix_local_t dovecot_etc_t:dir search_dir_perms; + ') +') files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t)