7 years ago · eeea104868
--- a/policy/modules/dovecot.te
+++ b/policy/modules/dovecot.te
@@ -1,4 +1,4 @@
 
															-policy_module(dovecot, 1.17.8)
														
 
															+policy_module(dovecot, 1.18.1)
														
 
															 ########################################
														
 
															 #
														
@@ -95,7 +95,7 @@ miscfiles_read_localization(dovecot_domain)
 
															 # Local policy
														
 
															 #
														
 
															-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
														
 
															+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot sys_resource };
														
 
															 dontaudit dovecot_t self:capability sys_tty_config;
														
 
															 allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
														
 
															 allow dovecot_t self:tcp_socket { accept listen };
														
@@ -127,6 +127,8 @@ manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
 
															 manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
														
 
															 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
														
 
															 manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
														
 
															+allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms;
														
 
															+allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
														
 
															 manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
														
 
															 files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
														
@@ -139,6 +141,9 @@ allow dovecot_t dovecot_auth_t:process signal;
 
															 domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
														
 
															+files_list_usr(dovecot_t)
														
 
															+files_read_usr_files(dovecot_t)
														
 
															+
														
 
															 corenet_all_recvfrom_unlabeled(dovecot_t)
														
 
															 corenet_all_recvfrom_netlabel(dovecot_t)
														
 
															 corenet_tcp_sendrecv_generic_if(dovecot_t)
														
@@ -255,6 +260,9 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
 
															 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
														
 
															+selinux_get_enforce_mode(dovecot_auth_t)
														
 
															+selinux_get_fs_mount(dovecot_auth_t)
														
 
															+
														
 
															 files_search_pids(dovecot_auth_t)
														
 
															 files_read_usr_files(dovecot_auth_t)
														
 
															 files_read_var_lib_files(dovecot_auth_t)
														
@@ -266,7 +274,7 @@ init_rw_utmp(dovecot_auth_t)
 
															 logging_send_audit_msgs(dovecot_auth_t)
														
 
															-seutil_dontaudit_search_config(dovecot_auth_t)
														
 
															+seutil_search_default_contexts(dovecot_auth_t)
														
 
															 sysnet_use_ldap(dovecot_auth_t)