From: dac.override@gmail.com (Dominick Grift) Date: Tue, 30 Dec 2014 21:54:21 +0100 Subject: [refpolicy] [PATCH 6/6] Courier IMAP needs to manage the users' maildir In-Reply-To: <1419970899-19892-7-git-send-email-sven.vermeulen@siphos.be> References: <1419970899-19892-1-git-send-email-sven.vermeulen@siphos.be> <1419970899-19892-7-git-send-email-sven.vermeulen@siphos.be> Message-ID: <20141230205420.GC12724@bigboy.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Dec 30, 2014 at 09:21:39PM +0100, Sven Vermeulen wrote: > Without these permissions, the logon immediately terminates and the > following shows up in the logs: > > Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152] > Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied > Dec 30 19:45:33 localhost imapd: root: Permission denied > > The first denial (and many similar ones follow when granted): > > type=AVC msg=audit(1419968733.163:197): avc: denied { search } for > pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221 > scontext=system_u:system_r:courier_pop_t:s0 > tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir > > Signed-off-by: Sven Vermeulen > --- > courier.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/courier.te b/courier.te > index c06c3ad..49fa11d 100644 > --- a/courier.te > +++ b/courier.te > @@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t) > > miscfiles_read_localization(courier_pop_t) > > +mta_manage_mail_home_rw_content(courier_pop_t) > + Should this go together with a "mta_home_filetrans_mail_home(courier_pop_t, dir, ".maildir")", i.e. should courier-imapd be able to create that directory if it does not already exist? > userdom_manage_user_home_content_files(courier_pop_t) > userdom_manage_user_home_content_dirs(courier_pop_t) > The above may, or may not, be redundant now that we have a .maildir with a private type > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/f8a76373/attachment-0001.bin