Package: refpolicy Version: 2:0.0.20080702-14 Severity: normal Tags: patch Hello,
dovecot's LDA /usr/lib/dovecot/deliver does not work because its context lib_t does not allow execution without a transition. As it is called by the MTA it is required to run deliver in the context of the MTA. Alternatively a transition might work as well. In the attached patch it will be labeled bin_t to allow the execution. Thanks Frank
diff -urN refpolicy-0.0.20080702/policy/modules/services/dovecot.fc refpolicy-0.0.20080702.new/policy/modules/services/dovecot.fc --- refpolicy-0.0.20080702/policy/modules/services/dovecot.fc 2008-02-25 20:31:03.000000000 +0100 +++ refpolicy-0.0.20080702.new/policy/modules/services/dovecot.fc 2009-03-01 16:59:39.000000000 +0100 @@ -16,7 +16,11 @@ /usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) ifdef(`distro_debian', ` +# in Debian these files are in /usr/lib/dovecot which is lib_t +# to execute without transition they should be bin_t - as /usr/libexec is +/usr/lib/dovecot(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +/usr/lib/dovecot/modules(/.*)? gen_context(system_u:object_r:lib_t,s0) ') ifdef(`distro_redhat', `
