On Tue, 2007-06-05 at 15:51 -0700, John Lindgren wrote:
Just to close this thread out:
I upgraded to: # rpm -qa|grep selinux-policy selinux-policy-targeted-2.6.4-13.fc7 selinux-policy-2.6.4-13.fc7 selinux-policy-devel-2.6.4-13.fc7
removed the the local.pp I made earlier: # semodule -r local
forced a reload of the policy: # semodule -R
rotated the audit log: # logrotate -f /etc/logrotate.d/audit
Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler.
took a look at the fresh audit.log # audit2allow -a
And there were all the usual suspects: #============= clamscan_t ============== allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; allow clamscan_t clamd_var_lib_t:file { write create unlink }; allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd ir remove_name add_name }; allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink }; allow clamscan_t tmpfs_t:dir { read search getattr }; allow clamscan_t tmpfs_t:file { read getattr }; allow clamscan_t var_spool_t:file { read write };
#============= httpd_t ============== allow httpd_t pop_port_t:tcp_socket name_connect;
#============= procmail_t ============== allow procmail_t var_spool_t:file read;
#============= system_mail_t ============== allow system_mail_t httpd_t:file read;
But notice, NO DOVECOT!
made a module: # cat /var/log/audit/audit.log | audit2allow -M localMAIL
installed it: # semodule -i localMAIL.pp
put selinux back into enforce: # setenforce 1
and re-rotated the log: # logrotate -f /etc/logrotate.d/audit
Then sat back and waited for the phone to ring... {quiet}
Confirmed with: # audit2allow -a
And got nothing. Everything working great now.
New policy package fixed dovecot problem, Thanks Again.
I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7)
I needed to add the following:
# Allow dovecot to check passwords allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans };
before dovecot-auth could run /sbin/unix-update and authenticate IMAP clients.
Paul.