* [refpolicy] services_dovecot.patch
@ 2008-09-24 20:38 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2008-09-24 20:38 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_dovecot.patch
Add initrc script support
allow admin to start/stop service
Admin needs admin_pattern on all file types
Add support for dovecod_deliver policy
additional spool and log file context
dovecot uses kerberos keytab
auth needs chown and dac_override
auth needs to connect to dovecot_t
creates files in /tmp
creates its own log files
greates a stream socket in /var/run
auth sends syslog and audit messages
auth reads usr_t files
auth can use mysql
auth can authenticate nis passwords
auth can use users kerberos tgt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjapVcACgkQrlYvE4MpobN1dQCfaf1iEfx1pX+IDlRdHQFQrUMz
DQkAoIk1Dnr8Rg5hEwwEbcnkcikCf01O
=55uA
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
@ 2008-10-14 20:42 Daniel J Walsh
2008-10-14 22:59 ` Paul Howarth
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2008-10-14 20:42 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_dovecot.patch
initrc handling
Fix labeling on files only /var/run/dovecot/login/ssl-parameters.dat
Add admin interface
Add policy for deliver
Add domain to connect to dovecot_auth
dovecot uses /tmp
auth reads usr files
auth can communicate with mysql, posfix
Uses nis authentication
Usses gssapi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkj1BBgACgkQrlYvE4MpobPFWgCfU4ww0imrj7QdNMbtmXqrvy/Q
HAQAn3fqbl6uhxc9Z6rZmbrihHk3+Jv3
=kCX2
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
2008-10-14 20:42 Daniel J Walsh
@ 2008-10-14 22:59 ` Paul Howarth
0 siblings, 0 replies; 10+ messages in thread
From: Paul Howarth @ 2008-10-14 22:59 UTC (permalink / raw)
To: refpolicy
On Tue, 14 Oct 2008 16:42:00 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_dovecot.patch
>
> initrc handling
>
> Fix labeling on files only /var/run/dovecot/login/ssl-parameters.dat
>
>
> Add admin interface
>
> Add policy for deliver
> Add domain to connect to dovecot_auth
>
>
> dovecot uses /tmp
>
> auth reads usr files
>
> auth can communicate with mysql, posfix
>
> Uses nis authentication
>
> Usses gssapi
Someone was whining on fedora-devel-list today that they'd configured
dovecot to write logs to a directory /var/log/dovecot that they'd
created but were blocked by SELinux. Cue standard anti-SELinux rantlet.
There's currently no dovecot_log_t to enable this easily, so perhaps
that could be added too?
Paul.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
@ 2009-06-09 0:31 Daniel J Walsh
2009-06-30 19:29 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2009-06-09 0:31 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_dovecot.patch
Add context for dovecot init script
policy to cover dovecot/deliver executable
Dovecot uses kerberos templates.
Dovecot_auth neesds chown and dac_override
dovecot auth creates /tmp files
Uses var_run and connects to the auth_stream
Sends audit and syslog messages
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
2009-06-09 0:31 [refpolicy] services_dovecot.patch Daniel J Walsh
@ 2009-06-30 19:29 ` Christopher J. PeBenito
2009-06-30 19:53 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2009-06-30 19:29 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-06-08 at 20:31 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_dovecot.patch
>
> Add context for dovecot init script
>
> policy to cover dovecot/deliver executable
>
> Dovecot uses kerberos templates.
>
> Dovecot_auth neesds chown and dac_override
>
> dovecot auth creates /tmp files
>
> Uses var_run and connects to the auth_stream
>
> Sends audit and syslog messages
Merged. Now that there is a deliver domain, can the userdom_* calls be
removed from the main dovecot_t ddomain?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
2009-06-30 19:29 ` Christopher J. PeBenito
@ 2009-06-30 19:53 ` Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2009-06-30 19:53 UTC (permalink / raw)
To: refpolicy
On 06/30/2009 03:29 PM, Christopher J. PeBenito wrote:
> On Mon, 2009-06-08 at 20:31 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_dovecot.patch
>>
>> Add context for dovecot init script
>>
>> policy to cover dovecot/deliver executable
>>
>> Dovecot uses kerberos templates.
>>
>> Dovecot_auth neesds chown and dac_override
>>
>> dovecot auth creates /tmp files
>>
>> Uses var_run and connects to the auth_stream
>>
>> Sends audit and syslog messages
>
> Merged. Now that there is a deliver domain, can the userdom_* calls be
> removed from the main dovecot_t ddomain?
>
Probably.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
@ 2009-11-12 21:29 Daniel J Walsh
2010-01-07 16:52 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2009-11-12 21:29 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_dovecot.patch
dovecot is dropping capabilities,
getattr on mounted file systems
dovecot auth sends itself signals and drops capabilities
reads users tmp files (kerberos tickets)
deliver_t needs to write to cifs and nfs homedir
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
2009-11-12 21:29 Daniel J Walsh
@ 2010-01-07 16:52 ` Christopher J. PeBenito
0 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2010-01-07 16:52 UTC (permalink / raw)
To: refpolicy
On Thu, 2009-11-12 at 16:29 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_dovecot.patch
>
> dovecot is dropping capabilities,
>
> getattr on mounted file systems
>
> dovecot auth sends itself signals and drops capabilities
>
> reads users tmp files (kerberos tickets)
Moved this into the optional with kerberos_use()
> deliver_t needs to write to cifs and nfs homedir
Merged.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
@ 2010-02-23 21:49 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-02-23 21:49 UTC (permalink / raw)
To: refpolicy
http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_dovecot.patch
dovecot has a log dir.
Listens on the mail port
Does a getattr on all file systems
Can have a postgresql back end
dovecot_deliver needs to be able to write to uses homedirs even if they
are on nfs and cifs.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] services_dovecot.patch
@ 2010-08-26 21:14 Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2010-08-26 21:14 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_dovecot.patch
Fix dovecot_admin interface
Label its cert files
tmpfs as /var/run
Communicates with posfix private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx22UEACgkQrlYvE4MpobMNMgCdFl5jG6gj1dLgiYLscATmligK
JugAoIFxXK60Re8T8f3byuU0GUAVQEhX
=/WTJ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-08-26 21:14 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-09 0:31 [refpolicy] services_dovecot.patch Daniel J Walsh
2009-06-30 19:29 ` Christopher J. PeBenito
2009-06-30 19:53 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2010-08-26 21:14 Daniel J Walsh
2010-02-23 21:49 Daniel J Walsh
2009-11-12 21:29 Daniel J Walsh
2010-01-07 16:52 ` Christopher J. PeBenito
2008-10-14 20:42 Daniel J Walsh
2008-10-14 22:59 ` Paul Howarth
2008-09-24 20:38 Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.