Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 439798 - sec-policy/selinux-dovecot lacks permissions
Summary: sec-policy/selinux-dovecot lacks permissions
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r6
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-26 20:22 UTC by Stan Sander
Modified: 2012-12-13 10:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stan Sander 2012-10-26 20:22:02 UTC 
sec-policy/selinux-dovecot lacks required permissions for dovecot to be able to start and run.

Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:52): avc:  denied  { unlink } for  pid=2837 comm="dovecot" name="stats-mail" dev="sda3" ino=6292320 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file
Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:53): avc:  denied  { create } for  pid=2837 comm="dovecot" name="stats-mail" scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file
Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:54): avc:  denied  { read write } for  pid=2837 comm="dovecot" name="stats-mail" dev="sda3" ino=6292159 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file
Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:55): avc:  denied  { open } for  pid=2837 comm="dovecot" path="/var/run/dovecot/stats-mail" dev="sda3" ino=6292159 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file

The following rules are needed to allow dovecot to start at boot time with SELinux enforcing

allow dovecot_t dovecot_etc_t:lnk_file read_file_perms;
allow dovecot_t dovecot_etc_t:dir list_dir_perms;

manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-28 16:18:09 UTC 
Looks like those are already in the repo upstream (and should be in the live ebuilds). The only thing I seem to have needed was to allow dovecot to write to terminals (so that the errors can be displayed).
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-03 17:36:36 UTC 
In hardened-dev, r6 release
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:26:18 UTC 
In main tree, ~arch'ed
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:12:16 UTC 
r8 is now stable