in 3.0.2 the courierlogger binary was moved in /usr/sbin and a symlink was provided for compatibility. the policy should be changed like this: in courier-imap.te +allow courier_tcpd_t courier_exec_t:lnk_file { read }; in courier-imap.fc -/usr/lib/courier-imap/courierlogger -- system_u:object_r:courier_exec_t +/usr/lib/courier-imap/courierlogger system_u:object_r:courier_exec_t +/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t I will check monday if more rules must be changed on a more used server. on my home server I haven't found any additional inconsistences.
no additional policy changes were needed. please update the policy files. bye, peter
Generally we try not to give symlinks special labels. It seems like there only needs to be these additions, since it looks like the symlink would be bin_t with the current file contexts: allow courier_tcpd_t bin_t:lnk_file read; fc: /usr/sbin/courierlogger -- system_u:object_r:courier_exec_t
ok, it also works using your version.
selinux-courier-imap-20040406 committed to portage