| Summary: | courier-imap-3.0.2 policy | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | petre rodan (RETIRED) <kaiowas> |
| Component: | Hardened | Assignee: | Chris PeBenito (RETIRED) <pebenito> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
no additional policy changes were needed. please update the policy files. bye, peter Generally we try not to give symlinks special labels. It seems like there only needs to be these additions, since it looks like the symlink would be bin_t with the current file contexts: allow courier_tcpd_t bin_t:lnk_file read; fc: /usr/sbin/courierlogger -- system_u:object_r:courier_exec_t ok, it also works using your version. selinux-courier-imap-20040406 committed to portage |
in 3.0.2 the courierlogger binary was moved in /usr/sbin and a symlink was provided for compatibility. the policy should be changed like this: in courier-imap.te +allow courier_tcpd_t courier_exec_t:lnk_file { read }; in courier-imap.fc -/usr/lib/courier-imap/courierlogger -- system_u:object_r:courier_exec_t +/usr/lib/courier-imap/courierlogger system_u:object_r:courier_exec_t +/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t I will check monday if more rules must be changed on a more used server. on my home server I haven't found any additional inconsistences.