1dovecot_selinux(8) SELinux Policy dovecot dovecot_selinux(8)
2
3
4
6 dovecot_selinux - Security Enhanced Linux Policy for the dovecot pro‐
7 cesses
8
10 Security-Enhanced Linux secures the dovecot processes via flexible
11 mandatory access control.
12
13 The dovecot processes execute with the dovecot_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep dovecot_t
20
21
22
24 The dovecot_t SELinux type can be entered via the dovecot_exec_t file
25 type.
26
27 The default entrypoint paths for the dovecot_t domain are the follow‐
28 ing:
29
30 /usr/sbin/dovecot
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 dovecot policy is very flexible allowing users to setup their dovecot
40 processes in as secure a method as possible.
41
42 The following process types are defined for dovecot:
43
44 dovecot_t, dovecot_auth_t, dovecot_deliver_t
45
46 Note: semanage permissive -a dovecot_t can be used to make the process
47 type dovecot_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. dovecot
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run dovecot with the tightest access possi‐
56 ble.
57
58
59
60 If you want to dontaudit all daemons scheduling requests (setsched,
61 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
62 Enabled by default.
63
64 setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
90 The SELinux process type dovecot_t can manage files labeled with the
91 following file types. The paths listed are the default paths for these
92 file types. Note the processes UID still need to have DAC permissions.
93
94 cifs_t
95
96
97 cluster_conf_t
98
99 /etc/cluster(/.*)?
100
101 cluster_var_lib_t
102
103 /var/lib/pcsd(/.*)?
104 /var/lib/cluster(/.*)?
105 /var/lib/openais(/.*)?
106 /var/lib/pengine(/.*)?
107 /var/lib/corosync(/.*)?
108 /usr/lib/heartbeat(/.*)?
109 /var/lib/heartbeat(/.*)?
110 /var/lib/pacemaker(/.*)?
111
112 cluster_var_run_t
113
114 /var/run/crm(/.*)?
115 /var/run/cman_.*
116 /var/run/rsctmp(/.*)?
117 /var/run/aisexec.*
118 /var/run/heartbeat(/.*)?
119 /var/run/pcsd-ruby.socket
120 /var/run/corosync-qnetd(/.*)?
121 /var/run/corosync-qdevice(/.*)?
122 /var/run/corosync.pid
123 /var/run/cpglockd.pid
124 /var/run/rgmanager.pid
125 /var/run/cluster/rgmanager.sk
126
127 data_home_t
128
129 /root/.local/share(/.*)?
130 /home/[^/]+/.local/share(/.*)?
131
132 dovecot_spool_t
133
134 /var/spool/dovecot(/.*)?
135
136 dovecot_tmp_t
137
138
139 dovecot_var_lib_t
140
141 /var/lib/dovecot(/.*)?
142 /var/run/dovecot/login/ssl-parameters.dat
143
144 dovecot_var_log_t
145
146 /var/log/dovecot(/.*)?
147 /var/log/dovecot.log.*
148
149 dovecot_var_run_t
150
151 /var/run/dovecot(-login)?(/.*)?
152
153 ecryptfs_t
154
155 /home/[^/]+/.Private(/.*)?
156 /home/[^/]+/.ecryptfs(/.*)?
157
158 fusefs_t
159
160 /var/run/user/[0-9]+/gvfs
161
162 krb5_host_rcache_t
163
164 /var/tmp/krb5_0.rcache2
165 /var/cache/krb5rcache(/.*)?
166 /var/tmp/nfs_0
167 /var/tmp/DNS_25
168 /var/tmp/host_0
169 /var/tmp/imap_0
170 /var/tmp/HTTP_23
171 /var/tmp/HTTP_48
172 /var/tmp/ldap_55
173 /var/tmp/ldap_487
174 /var/tmp/ldapmap1_0
175
176 mail_home_rw_t
177
178 /root/Maildir(/.*)?
179 /root/.esmtp_queue(/.*)?
180 /var/lib/arpwatch/.esmtp_queue(/.*)?
181 /var/cache/ddclient/.esmtp_queue(/.*)?
182 /home/[^/]+/.maildir(/.*)?
183 /home/[^/]+/Maildir(/.*)?
184 /home/[^/]+/.esmtp_queue(/.*)?
185
186 mail_spool_t
187
188 /var/mail(/.*)?
189 /var/spool/imap(/.*)?
190 /var/spool/mail(/.*)?
191 /var/spool/smtpd(/.*)?
192
193 nfs_t
194
195
196 root_t
197
198 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
199 /
200 /initrd
201
202 security_t
203
204 /selinux
205
206 user_home_t
207
208 /home/[^/]+/.+
209
210
212 SELinux requires files to have an extended attribute to define the file
213 type.
214
215 You can see the context of a file using the -Z option to ls
216
217 Policy governs the access confined processes have to these files.
218 SELinux dovecot policy is very flexible allowing users to setup their
219 dovecot processes in as secure a method as possible.
220
221 EQUIVALENCE DIRECTORIES
222
223
224 dovecot policy stores data with multiple different file context types
225 under the /var/log/dovecot directory. If you would like to store the
226 data in a different directory you can use the semanage command to cre‐
227 ate an equivalence mapping. If you wanted to store this data under the
228 /srv directory you would execute the following command:
229
230 semanage fcontext -a -e /var/log/dovecot /srv/dovecot
231 restorecon -R -v /srv/dovecot
232
233 STANDARD FILE CONTEXT
234
235 SELinux defines the file context types for the dovecot, if you wanted
236 to store files with these types in a different paths, you need to exe‐
237 cute the semanage command to specify alternate labeling and then use
238 restorecon to put the labels on disk.
239
240 semanage fcontext -a -t dovecot_exec_t '/srv/dovecot/content(/.*)?'
241 restorecon -R -v /srv/mydovecot_content
242
243 Note: SELinux often uses regular expressions to specify labels that
244 match multiple files.
245
246 The following file types are defined for dovecot:
247
248
249
250 dovecot_auth_exec_t
251
252 - Set files with the dovecot_auth_exec_t type, if you want to transi‐
253 tion an executable to the dovecot_auth_t domain.
254
255
256 Paths:
257 /usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
258
259
260 dovecot_auth_tmp_t
261
262 - Set files with the dovecot_auth_tmp_t type, if you want to store
263 dovecot auth temporary files in the /tmp directories.
264
265
266
267 dovecot_cert_t
268
269 - Set files with the dovecot_cert_t type, if you want to treat the
270 files as dovecot certificate data.
271
272
273 Paths:
274 /etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot.pem,
275 /usr/share/ssl/private/dovecot.pem
276
277
278 dovecot_deliver_exec_t
279
280 - Set files with the dovecot_deliver_exec_t type, if you want to tran‐
281 sition an executable to the dovecot_deliver_t domain.
282
283
284 Paths:
285 /usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda
286
287
288 dovecot_deliver_tmp_t
289
290 - Set files with the dovecot_deliver_tmp_t type, if you want to store
291 dovecot deliver temporary files in the /tmp directories.
292
293
294
295 dovecot_etc_t
296
297 - Set files with the dovecot_etc_t type, if you want to store dovecot
298 files in the /etc directories.
299
300
301 Paths:
302 /etc/dovecot(/.*)?, /etc/dovecot.conf.*
303
304
305 dovecot_exec_t
306
307 - Set files with the dovecot_exec_t type, if you want to transition an
308 executable to the dovecot_t domain.
309
310
311
312 dovecot_initrc_exec_t
313
314 - Set files with the dovecot_initrc_exec_t type, if you want to transi‐
315 tion an executable to the dovecot_initrc_t domain.
316
317
318
319 dovecot_keytab_t
320
321 - Set files with the dovecot_keytab_t type, if you want to treat the
322 files as kerberos keytab files.
323
324
325
326 dovecot_passwd_t
327
328 - Set files with the dovecot_passwd_t type, if you want to treat the
329 files as dovecot passwd data.
330
331
332
333 dovecot_spool_t
334
335 - Set files with the dovecot_spool_t type, if you want to store the
336 dovecot files under the /var/spool directory.
337
338
339
340 dovecot_tmp_t
341
342 - Set files with the dovecot_tmp_t type, if you want to store dovecot
343 temporary files in the /tmp directories.
344
345
346
347 dovecot_var_lib_t
348
349 - Set files with the dovecot_var_lib_t type, if you want to store the
350 dovecot files under the /var/lib directory.
351
352
353 Paths:
354 /var/lib/dovecot(/.*)?, /var/run/dovecot/login/ssl-parameters.dat
355
356
357 dovecot_var_log_t
358
359 - Set files with the dovecot_var_log_t type, if you want to treat the
360 data as dovecot var log data, usually stored under the /var/log direc‐
361 tory.
362
363
364 Paths:
365 /var/log/dovecot(/.*)?, /var/log/dovecot.log.*
366
367
368 dovecot_var_run_t
369
370 - Set files with the dovecot_var_run_t type, if you want to store the
371 dovecot files under the /run or /var/run directory.
372
373
374
375 Note: File context can be temporarily modified with the chcon command.
376 If you want to permanently change the file context you need to use the
377 semanage fcontext command. This will modify the SELinux labeling data‐
378 base. You will need to use restorecon to apply the labels.
379
380
382 semanage fcontext can also be used to manipulate default file context
383 mappings.
384
385 semanage permissive can also be used to manipulate whether or not a
386 process type is permissive.
387
388 semanage module can also be used to enable/disable/install/remove pol‐
389 icy modules.
390
391 semanage boolean can also be used to manipulate the booleans
392
393
394 system-config-selinux is a GUI tool available to customize SELinux pol‐
395 icy settings.
396
397
399 This manual page was auto-generated using sepolicy manpage .
400
401
403 selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1), sepol‐
404 icy(8), setsebool(8), dovecot_auth_selinux(8), dovecot_auth_selinux(8),
405 dovecot_deliver_selinux(8), dovecot_deliver_selinux(8)
406
407
408
409dovecot 23-12-15 dovecot_selinux(8)