| Main Archive Page > Month Archives > selinux archives |
Re: [refpolicy] dovecot: handling of hard links
From: Stefan Schulze Frielinghaus <stefan_at_nospam>Date: Tue Aug 28 2007 - 12:59:02 GMT
To: Stefan Schulze Frielinghaus <stefan@sf-net.com>
Oh I forgot the only thing which doesn't really run quit fine is init
now:
avc: denied { unlink } for pid=1175 comm="rm" name="ssl-
parameters.dat" dev=hda7 ino=2129980
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:dovecot_var_lib_t:s0 tclass=file
Because formerly it was labeled as dovecot_var_run_t which was of files_pid_file(dovecot_var_run_t)
On 28.08.2007, at 14:26, Stefan Schulze Frielinghaus wrote:
> dovecot uses a hard link:
>
> /var/lib/dovecot/ssl-parameters.dat
> /var/run/dovecot/login/ssl-parameters.dat
>
> and the policy file looks like that:
>
> /var/run/dovecot(-login)?(/.*)? gen_context
> (system_u:object_r:dovecot_var_run_t,s0)
> /var/lib/dovecot(/.*)? gen_context
> (system_u:object_r:dovecot_var_lib_t,s0)
>
> While relabel:
>
> $ fixfiles relabel
>
> ...
> matchpathcon_filespec_add: conflicting specifications for /var/run/
> dovecot/login/ssl-parameters.dat and /var/lib/dovecot/ssl-
> parameters.dat, using system_u:object_r:dovecot_var_run_t:s0.
> ....
>
> Since the comment in the policy dovecot.te the file should be
> labeled dovecot_var_lib_t but fixfiles relabels it as
> dovecot_var_run_t. Attached is a patch which solves this.
>
> PS: tested on CentOS5
>
> <dovecot.fc.patch>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.