Sebastian Hennebrueder asks:
Postfix and dovecot shares the certicates. I solved the problem in a way that I copied the certificates and set the corresponding context. I don't like this approach. Alternatively I can use the normal audit2allow approach to allow postfix access to dovecot or vice versa but I would like not to give them this right. The best solution is to create a new context which can be accessed by both domains. With the new module approach, how do I start to write a new context type? It is probably simple but I don't find the way to start by reading the documentation on the net.
It is fairly simple to build a custom policy module. This is what I would do:
create a file called mypostfix_dovecot.te
policy_module(mypostfix_dovecot, 1.0)
gen_require(`
type postfix_t, dovecot_t;
')
type postfix_dovecot_cert_t;
files_type(postfix_dovecot_cert_t)
read_files_pattern(postfix_t, postfix_dovecot_cert_t, postfix_dovecot_cert_t)
read_files_pattern(dovecot_t, postfix_dovecot_cert_t, postfix_dovecot_cert_t)
Now you can create a mypostfix_dovecot.fc or just use semange fcontext to assign the mapping to the path
/etc/pki/mycerts(/.*)? gen_context(system_u:object_r:postfix_dovecot_cert_t,s0)
Now compile them up
# make -f /usr/share/selinux/devel/Makefile
Install it
# semodule -i mypostfix_dovecot.pp
Fix the labeling
# restorecon -R -v /etc/pki/mycerts
You are done. You can copy and install the pp file to any machines that you want this policy on, and the changes will be permanent, if you need additional access you can change or add interfaces to the te file.
If you later want to remove you policy package
# semodule -r mypostfix_dovecot
Fix the file context
# restorecon -R -v /etc/pki/mycerts
2008-09-16 03:40 am (UTC)