Once upon a time, Daniel J Walsh dwalsh@redhat.com said:
Chris Adams wrote:
What is odd is that it fails when SELinux is in enforcing mode, but not in permissive, BUT I don't get any errors when it fails (e.g. no "denied" messages in the kernel or audit logs).
semodule -DB
will turn on all dontaudit rules.
Sorry, I should have been more specific: this is on RHEL 5, which does not appear to have the -D option.
However, looking at the dontaudit rules with sesearch (I wasn't aware of either dontaudit rules or the sesearch command before), I found the problem. The top-level directory was still default_t, and there's a "dontaudit dovecot_t default_t : dir { ioctl read gettr lock search };" rule.
I changed that top-level directory and all is well. Thanks.