Once upon a time, Daniel J Walsh <dwalsh(a)redhat.com> said:
Chris Adams wrote:
> What is odd is that it fails when SELinux is in enforcing mode, but not
> in permissive, BUT I don't get any errors when it fails (e.g. no
> "denied" messages in the kernel or audit logs).
semodule -DB
will turn on all dontaudit rules.
Sorry, I should have been more specific: this is on RHEL 5, which does
not appear to have the -D option.
However, looking at the dontaudit rules with sesearch (I wasn't aware of
either dontaudit rules or the sesearch command before), I found the
problem. The top-level directory was still default_t, and there's a
"dontaudit dovecot_t default_t : dir { ioctl read gettr lock search };"
rule.
I changed that top-level directory and all is well. Thanks.
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.