Just to close this thread out:
I upgraded to: # rpm -qa|grep selinux-policy selinux-policy-targeted-2.6.4-13.fc7 selinux-policy-2.6.4-13.fc7 selinux-policy-devel-2.6.4-13.fc7
removed the the local.pp I made earlier: # semodule -r local
forced a reload of the policy: # semodule -R
rotated the audit log: # logrotate -f /etc/logrotate.d/audit
Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler.
took a look at the fresh audit.log # audit2allow -a
And there were all the usual suspects: #============= clamscan_t ============== allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; allow clamscan_t clamd_var_lib_t:file { write create unlink }; allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd ir remove_name add_name }; allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink }; allow clamscan_t tmpfs_t:dir { read search getattr }; allow clamscan_t tmpfs_t:file { read getattr }; allow clamscan_t var_spool_t:file { read write };
#============= httpd_t ============== allow httpd_t pop_port_t:tcp_socket name_connect;
#============= procmail_t ============== allow procmail_t var_spool_t:file read;
#============= system_mail_t ============== allow system_mail_t httpd_t:file read;
But notice, NO DOVECOT!
made a module: # cat /var/log/audit/audit.log | audit2allow -M localMAIL
installed it: # semodule -i localMAIL.pp
put selinux back into enforce: # setenforce 1
and re-rotated the log: # logrotate -f /etc/logrotate.d/audit
Then sat back and waited for the phone to ring... {quiet}
Confirmed with: # audit2allow -a
And got nothing. Everything working great now.
New policy package fixed dovecot problem, Thanks Again.
John
John Lindgren wrote:
Thank You for your help!
John
Daniel J Walsh wrote:
John Lindgren wrote:
I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;)
Will upgrade to the new policy later tonight.
Should I then remove the local.pp I just compiled and see what messages I get?
John
yes
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list