dovecot_selinux(8)

1dovecot_selinux(8)          SELinux Policy dovecot          dovecot_selinux(8)
2
3
4

NAME

6       dovecot_selinux  -  Security Enhanced Linux Policy for the dovecot pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures  the  dovecot  processes  via  flexible
11       mandatory access control.
12
13       The  dovecot processes execute with the dovecot_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep dovecot_t
20
21
22

ENTRYPOINTS

24       The  dovecot_t  SELinux type can be entered via the dovecot_exec_t file
25       type.
26
27       The default entrypoint paths for the dovecot_t domain are  the  follow‐
28       ing:
29
30       /usr/sbin/dovecot
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       dovecot  policy  is very flexible allowing users to setup their dovecot
40       processes in as secure a method as possible.
41
42       The following process types are defined for dovecot:
43
44       dovecot_t, dovecot_auth_t, dovecot_deliver_t
45
46       Note: semanage permissive -a dovecot_t can be used to make the  process
47       type  dovecot_t  permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux policy is customizable based on least access required.  dovecot
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate  the  policy and run dovecot with the tightest access possi‐
56       ble.
57
58
59
60       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
61       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
62       Enabled by default.
63
64       setsebool -P daemons_dontaudit_scheduling 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88

MANAGED FILES

90       The  SELinux  process  type dovecot_t can manage files labeled with the
91       following file types.  The paths listed are the default paths for these
92       file types.  Note the processes UID still need to have DAC permissions.
93
94       cifs_t
95
96
97       cluster_conf_t
98
99            /etc/cluster(/.*)?
100
101       cluster_var_lib_t
102
103            /var/lib/pcsd(/.*)?
104            /var/lib/cluster(/.*)?
105            /var/lib/openais(/.*)?
106            /var/lib/pengine(/.*)?
107            /var/lib/corosync(/.*)?
108            /usr/lib/heartbeat(/.*)?
109            /var/lib/heartbeat(/.*)?
110            /var/lib/pacemaker(/.*)?
111
112       cluster_var_run_t
113
114            /var/run/crm(/.*)?
115            /var/run/cman_.*
116            /var/run/rsctmp(/.*)?
117            /var/run/aisexec.*
118            /var/run/heartbeat(/.*)?
119            /var/run/pcsd-ruby.socket
120            /var/run/corosync-qnetd(/.*)?
121            /var/run/corosync-qdevice(/.*)?
122            /var/run/corosync.pid
123            /var/run/cpglockd.pid
124            /var/run/rgmanager.pid
125            /var/run/cluster/rgmanager.sk
126
127       data_home_t
128
129            /root/.local/share(/.*)?
130            /home/[^/]+/.local/share(/.*)?
131
132       dovecot_spool_t
133
134            /var/spool/dovecot(/.*)?
135
136       dovecot_tmp_t
137
138
139       dovecot_var_lib_t
140
141            /var/lib/dovecot(/.*)?
142            /var/run/dovecot/login/ssl-parameters.dat
143
144       dovecot_var_log_t
145
146            /var/log/dovecot(/.*)?
147            /var/log/dovecot.log.*
148
149       dovecot_var_run_t
150
151            /var/run/dovecot(-login)?(/.*)?
152
153       ecryptfs_t
154
155            /home/[^/]+/.Private(/.*)?
156            /home/[^/]+/.ecryptfs(/.*)?
157
158       fusefs_t
159
160            /var/run/user/[0-9]+/gvfs
161
162       krb5_host_rcache_t
163
164            /var/tmp/krb5_0.rcache2
165            /var/cache/krb5rcache(/.*)?
166            /var/tmp/nfs_0
167            /var/tmp/DNS_25
168            /var/tmp/host_0
169            /var/tmp/imap_0
170            /var/tmp/HTTP_23
171            /var/tmp/HTTP_48
172            /var/tmp/ldap_55
173            /var/tmp/ldap_487
174            /var/tmp/ldapmap1_0
175
176       mail_home_rw_t
177
178            /root/Maildir(/.*)?
179            /root/.esmtp_queue(/.*)?
180            /var/lib/arpwatch/.esmtp_queue(/.*)?
181            /var/cache/ddclient/.esmtp_queue(/.*)?
182            /home/[^/]+/.maildir(/.*)?
183            /home/[^/]+/Maildir(/.*)?
184            /home/[^/]+/.esmtp_queue(/.*)?
185
186       mail_spool_t
187
188            /var/mail(/.*)?
189            /var/spool/imap(/.*)?
190            /var/spool/mail(/.*)?
191            /var/spool/smtpd(/.*)?
192
193       nfs_t
194
195
196       root_t
197
198            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
199            /
200            /initrd
201
202       security_t
203
204            /selinux
205
206       user_home_t
207
208            /home/[^/]+/.+
209
210

FILE CONTEXTS

212       SELinux requires files to have an extended attribute to define the file
213       type.
214
215       You can see the context of a file using the -Z option to ls
216
217       Policy governs the access  confined  processes  have  to  these  files.
218       SELinux  dovecot  policy is very flexible allowing users to setup their
219       dovecot processes in as secure a method as possible.
220
221       EQUIVALENCE DIRECTORIES
222
223
224       dovecot policy stores data with multiple different file  context  types
225       under  the  /var/log/dovecot directory.  If you would like to store the
226       data in a different directory you can use the semanage command to  cre‐
227       ate an equivalence mapping.  If you wanted to store this data under the
228       /srv directory you would execute the following command:
229
230       semanage fcontext -a -e /var/log/dovecot /srv/dovecot
231       restorecon -R -v /srv/dovecot
232
233       STANDARD FILE CONTEXT
234
235       SELinux defines the file context types for the dovecot, if  you  wanted
236       to  store files with these types in a different paths, you need to exe‐
237       cute the semanage command to specify alternate labeling  and  then  use
238       restorecon to put the labels on disk.
239
240       semanage fcontext -a -t dovecot_exec_t '/srv/dovecot/content(/.*)?'
241       restorecon -R -v /srv/mydovecot_content
242
243       Note:  SELinux  often  uses  regular expressions to specify labels that
244       match multiple files.
245
246       The following file types are defined for dovecot:
247
248
249
250       dovecot_auth_exec_t
251
252       - Set files with the dovecot_auth_exec_t type, if you want  to  transi‐
253       tion an executable to the dovecot_auth_t domain.
254
255
256       Paths:
257            /usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
258
259
260       dovecot_auth_tmp_t
261
262       -  Set  files  with  the  dovecot_auth_tmp_t type, if you want to store
263       dovecot auth temporary files in the /tmp directories.
264
265
266
267       dovecot_cert_t
268
269       - Set files with the dovecot_cert_t type, if  you  want  to  treat  the
270       files as dovecot certificate data.
271
272
273       Paths:
274            /etc/pki/dovecot(/.*)?,          /usr/share/ssl/certs/dovecot.pem,
275            /usr/share/ssl/private/dovecot.pem
276
277
278       dovecot_deliver_exec_t
279
280       - Set files with the dovecot_deliver_exec_t type, if you want to  tran‐
281       sition an executable to the dovecot_deliver_t domain.
282
283
284       Paths:
285            /usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda
286
287
288       dovecot_deliver_tmp_t
289
290       -  Set  files with the dovecot_deliver_tmp_t type, if you want to store
291       dovecot deliver temporary files in the /tmp directories.
292
293
294
295       dovecot_etc_t
296
297       - Set files with the dovecot_etc_t type, if you want to  store  dovecot
298       files in the /etc directories.
299
300
301       Paths:
302            /etc/dovecot(/.*)?, /etc/dovecot.conf.*
303
304
305       dovecot_exec_t
306
307       -  Set files with the dovecot_exec_t type, if you want to transition an
308       executable to the dovecot_t domain.
309
310
311
312       dovecot_initrc_exec_t
313
314       - Set files with the dovecot_initrc_exec_t type, if you want to transi‐
315       tion an executable to the dovecot_initrc_t domain.
316
317
318
319       dovecot_keytab_t
320
321       -  Set  files  with the dovecot_keytab_t type, if you want to treat the
322       files as kerberos keytab files.
323
324
325
326       dovecot_passwd_t
327
328       - Set files with the dovecot_passwd_t type, if you want  to  treat  the
329       files as dovecot passwd data.
330
331
332
333       dovecot_spool_t
334
335       -  Set  files  with  the dovecot_spool_t type, if you want to store the
336       dovecot files under the /var/spool directory.
337
338
339
340       dovecot_tmp_t
341
342       - Set files with the dovecot_tmp_t type, if you want to  store  dovecot
343       temporary files in the /tmp directories.
344
345
346
347       dovecot_var_lib_t
348
349       -  Set  files with the dovecot_var_lib_t type, if you want to store the
350       dovecot files under the /var/lib directory.
351
352
353       Paths:
354            /var/lib/dovecot(/.*)?, /var/run/dovecot/login/ssl-parameters.dat
355
356
357       dovecot_var_log_t
358
359       - Set files with the dovecot_var_log_t type, if you want to  treat  the
360       data  as dovecot var log data, usually stored under the /var/log direc‐
361       tory.
362
363
364       Paths:
365            /var/log/dovecot(/.*)?, /var/log/dovecot.log.*
366
367
368       dovecot_var_run_t
369
370       - Set files with the dovecot_var_run_t type, if you want to  store  the
371       dovecot files under the /run or /var/run directory.
372
373
374
375       Note:  File context can be temporarily modified with the chcon command.
376       If you want to permanently change the file context you need to use  the
377       semanage fcontext command.  This will modify the SELinux labeling data‐
378       base.  You will need to use restorecon to apply the labels.
379
380

COMMANDS

382       semanage fcontext can also be used to manipulate default  file  context
383       mappings.
384
385       semanage  permissive  can  also  be used to manipulate whether or not a
386       process type is permissive.
387
388       semanage module can also be used to enable/disable/install/remove  pol‐
389       icy modules.
390
391       semanage boolean can also be used to manipulate the booleans
392
393
394       system-config-selinux is a GUI tool available to customize SELinux pol‐
395       icy settings.
396
397

AUTHOR

399       This manual page was auto-generated using sepolicy manpage .
400
401