trunk: dovecot fix from Stefan Schulze Frielinghaus.

policy/modules/services/dovecot.fc

@@ -27,6 +27,8 @@ ifdef(`distro_redhat', `
 # /var
 #
 /var/run/dovecot(-login)?(/.*)?		gen_context(system_u:object_r:dovecot_var_run_t,s0)
+# this is a hard link to /var/lib/dovecot/ssl-parameters.dat
+/var/run/dovecot/login/ssl-parameters.dat	gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 
 /var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
 

policy/modules/services/dovecot.if

@@ -18,3 +18,21 @@ interface(`dovecot_manage_spool',`
 	manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
 	manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
 ')
+
+########################################
+## <summary>
+##      Do not audit attempts to delete dovecot lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`dovecot_dontaudit_unlink_lib_files',`
+	gen_require(`
+		type dovecot_var_lib_t;
+	')
+
+	dontaudit $1 dovecot_var_lib_t:file unlink;
+')

policy/modules/services/dovecot.te

@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.7.0)
+policy_module(dovecot,1.7.1)
 
 ########################################
 #

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.9.0)
+policy_module(init,1.9.1)
 
 gen_require(`
 	class passwd rootok;
@@ -558,6 +558,14 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+	# the directory. But we do not want to allow this.
+	# The master process of dovecot will manage this file.
+	dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
 optional_policy(`
 	ftp_read_config(initrc_t)
 ')