1dovecot_selinux(8) SELinux Policy dovecot dovecot_selinux(8)
2
3
4
6 dovecot_selinux - Security Enhanced Linux Policy for the dovecot pro‐
7 cesses
8
10 Security-Enhanced Linux secures the dovecot processes via flexible
11 mandatory access control.
12
13 The dovecot processes execute with the dovecot_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep dovecot_t
20
21
22
24 The dovecot_t SELinux type can be entered via the dovecot_exec_t file
25 type.
26
27 The default entrypoint paths for the dovecot_t domain are the follow‐
28 ing:
29
30 /usr/sbin/dovecot
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 dovecot policy is very flexible allowing users to setup their dovecot
40 processes in as secure a method as possible.
41
42 The following process types are defined for dovecot:
43
44 dovecot_t, dovecot_auth_t, dovecot_deliver_t
45
46 Note: semanage permissive -a dovecot_t can be used to make the process
47 type dovecot_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. dovecot
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run dovecot with the tightest access possi‐
56 ble.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Disabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 The SELinux process type dovecot_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 cifs_t
102
103
104 cluster_conf_t
105
106 /etc/cluster(/.*)?
107
108 cluster_var_lib_t
109
110 /var/lib/pcsd(/.*)?
111 /var/lib/cluster(/.*)?
112 /var/lib/openais(/.*)?
113 /var/lib/pengine(/.*)?
114 /var/lib/corosync(/.*)?
115 /usr/lib/heartbeat(/.*)?
116 /var/lib/heartbeat(/.*)?
117 /var/lib/pacemaker(/.*)?
118
119 cluster_var_run_t
120
121 /var/run/crm(/.*)?
122 /var/run/cman_.*
123 /var/run/rsctmp(/.*)?
124 /var/run/aisexec.*
125 /var/run/heartbeat(/.*)?
126 /var/run/corosync-qnetd(/.*)?
127 /var/run/corosync-qdevice(/.*)?
128 /var/run/corosync.pid
129 /var/run/cpglockd.pid
130 /var/run/rgmanager.pid
131 /var/run/cluster/rgmanager.sk
132
133 data_home_t
134
135 /root/.local/share(/.*)?
136 /home/[^/]+/.local/share(/.*)?
137
138 dovecot_spool_t
139
140 /var/spool/dovecot(/.*)?
141
142 dovecot_tmp_t
143
144
145 dovecot_var_lib_t
146
147 /var/lib/dovecot(/.*)?
148 /var/run/dovecot/login/ssl-parameters.dat
149
150 dovecot_var_log_t
151
152 /var/log/dovecot(/.*)?
153 /var/log/dovecot.log.*
154
155 dovecot_var_run_t
156
157 /var/run/dovecot(-login)?(/.*)?
158
159 ecryptfs_t
160
161 /home/[^/]+/.Private(/.*)?
162 /home/[^/]+/.ecryptfs(/.*)?
163
164 fusefs_t
165
166 /var/run/user/[^/]*/gvfs
167
168 krb5_host_rcache_t
169
170 /var/cache/krb5rcache(/.*)?
171 /var/tmp/nfs_0
172 /var/tmp/DNS_25
173 /var/tmp/host_0
174 /var/tmp/imap_0
175 /var/tmp/HTTP_23
176 /var/tmp/HTTP_48
177 /var/tmp/ldap_55
178 /var/tmp/ldap_487
179 /var/tmp/ldapmap1_0
180
181 mail_home_rw_t
182
183 /root/Maildir(/.*)?
184 /root/.esmtp_queue(/.*)?
185 /var/lib/arpwatch/.esmtp_queue(/.*)?
186 /home/[^/]+/.maildir(/.*)?
187 /home/[^/]+/Maildir(/.*)?
188 /home/[^/]+/.esmtp_queue(/.*)?
189
190 mail_spool_t
191
192 /var/mail(/.*)?
193 /var/spool/imap(/.*)?
194 /var/spool/mail(/.*)?
195 /var/spool/smtpd(/.*)?
196
197 nfs_t
198
199
200 root_t
201
202 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
203 /
204 /initrd
205
206 security_t
207
208 /selinux
209
210 user_home_t
211
212 /home/[^/]+/.+
213
214
216 SELinux requires files to have an extended attribute to define the file
217 type.
218
219 You can see the context of a file using the -Z option to ls
220
221 Policy governs the access confined processes have to these files.
222 SELinux dovecot policy is very flexible allowing users to setup their
223 dovecot processes in as secure a method as possible.
224
225 EQUIVALENCE DIRECTORIES
226
227
228 dovecot policy stores data with multiple different file context types
229 under the /var/log/dovecot directory. If you would like to store the
230 data in a different directory you can use the semanage command to cre‐
231 ate an equivalence mapping. If you wanted to store this data under the
232 /srv dirctory you would execute the following command:
233
234 semanage fcontext -a -e /var/log/dovecot /srv/dovecot
235 restorecon -R -v /srv/dovecot
236
237 STANDARD FILE CONTEXT
238
239 SELinux defines the file context types for the dovecot, if you wanted
240 to store files with these types in a diffent paths, you need to execute
241 the semanage command to sepecify alternate labeling and then use
242 restorecon to put the labels on disk.
243
244 semanage fcontext -a -t dovecot_var_run_t '/srv/mydovecot_con‐
245 tent(/.*)?'
246 restorecon -R -v /srv/mydovecot_content
247
248 Note: SELinux often uses regular expressions to specify labels that
249 match multiple files.
250
251 The following file types are defined for dovecot:
252
253
254
255 dovecot_auth_exec_t
256
257 - Set files with the dovecot_auth_exec_t type, if you want to transi‐
258 tion an executable to the dovecot_auth_t domain.
259
260
261 Paths:
262 /usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
263
264
265 dovecot_auth_tmp_t
266
267 - Set files with the dovecot_auth_tmp_t type, if you want to store
268 dovecot auth temporary files in the /tmp directories.
269
270
271
272 dovecot_cert_t
273
274 - Set files with the dovecot_cert_t type, if you want to treat the
275 files as dovecot certificate data.
276
277
278 Paths:
279 /etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot.pem,
280 /usr/share/ssl/private/dovecot.pem
281
282
283 dovecot_deliver_exec_t
284
285 - Set files with the dovecot_deliver_exec_t type, if you want to tran‐
286 sition an executable to the dovecot_deliver_t domain.
287
288
289 Paths:
290 /usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda
291
292
293 dovecot_deliver_tmp_t
294
295 - Set files with the dovecot_deliver_tmp_t type, if you want to store
296 dovecot deliver temporary files in the /tmp directories.
297
298
299
300 dovecot_etc_t
301
302 - Set files with the dovecot_etc_t type, if you want to store dovecot
303 files in the /etc directories.
304
305
306 Paths:
307 /etc/dovecot(/.*)?, /etc/dovecot.conf.*
308
309
310 dovecot_exec_t
311
312 - Set files with the dovecot_exec_t type, if you want to transition an
313 executable to the dovecot_t domain.
314
315
316
317 dovecot_initrc_exec_t
318
319 - Set files with the dovecot_initrc_exec_t type, if you want to transi‐
320 tion an executable to the dovecot_initrc_t domain.
321
322
323
324 dovecot_keytab_t
325
326 - Set files with the dovecot_keytab_t type, if you want to treat the
327 files as kerberos keytab files.
328
329
330
331 dovecot_passwd_t
332
333 - Set files with the dovecot_passwd_t type, if you want to treat the
334 files as dovecot passwd data.
335
336
337
338 dovecot_spool_t
339
340 - Set files with the dovecot_spool_t type, if you want to store the
341 dovecot files under the /var/spool directory.
342
343
344
345 dovecot_tmp_t
346
347 - Set files with the dovecot_tmp_t type, if you want to store dovecot
348 temporary files in the /tmp directories.
349
350
351
352 dovecot_var_lib_t
353
354 - Set files with the dovecot_var_lib_t type, if you want to store the
355 dovecot files under the /var/lib directory.
356
357
358 Paths:
359 /var/lib/dovecot(/.*)?, /var/run/dovecot/login/ssl-parameters.dat
360
361
362 dovecot_var_log_t
363
364 - Set files with the dovecot_var_log_t type, if you want to treat the
365 data as dovecot var log data, usually stored under the /var/log direc‐
366 tory.
367
368
369 Paths:
370 /var/log/dovecot(/.*)?, /var/log/dovecot.log.*
371
372
373 dovecot_var_run_t
374
375 - Set files with the dovecot_var_run_t type, if you want to store the
376 dovecot files under the /run or /var/run directory.
377
378
379
380 Note: File context can be temporarily modified with the chcon command.
381 If you want to permanently change the file context you need to use the
382 semanage fcontext command. This will modify the SELinux labeling data‐
383 base. You will need to use restorecon to apply the labels.
384
385
387 semanage fcontext can also be used to manipulate default file context
388 mappings.
389
390 semanage permissive can also be used to manipulate whether or not a
391 process type is permissive.
392
393 semanage module can also be used to enable/disable/install/remove pol‐
394 icy modules.
395
396 semanage boolean can also be used to manipulate the booleans
397
398
399 system-config-selinux is a GUI tool available to customize SELinux pol‐
400 icy settings.
401
402
404 This manual page was auto-generated using sepolicy manpage .
405
406
408 selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1), sepol‐
409 icy(8), setsebool(8), dovecot_auth_selinux(8), dovecot_auth_selinux(8),
410 dovecot_deliver_selinux(8), dovecot_deliver_selinux(8)
411
412
413
414dovecot 19-12-02 dovecot_selinux(8)