Description of problem: Starting dovecot fails as it cannot create dovecot.log in /var/log/ Version-Release number of selected component (if applicable): dovecot-1.0.6-0_62.fc7 How reproducible: Unhash log_path: /var/log/dovecot.log in /etc/dovecot.conf and start dovecot service Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: [root@holycow ~]# dovecot -n # 1.0.6: /etc/dovecot.conf log_path: /var/log/dovecot.log protocols: pop3s ssl_cert_file: /etc/pki/tls/certs/dovecot.pem ssl_key_file: /etc/pki/tls/certs/dovecot.pem disable_plaintext_auth: yes login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/pop3-login mail_executable: /usr/libexec/dovecot/pop3 mail_plugin_dir: /usr/lib/dovecot/pop3 auth default: passdb: driver: pam userdb: driver: passwd ------------------------------------------------------------------- type=AVC msg=audit(1194344144.920:30): avc: denied { write } for pid=6281 comm="dovecot" name="log" dev=dm-1 ino=753665 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [root@holycow ~]# ls -l /var/log/dovecot.log ls: cannot access /var/log/dovecot.log: No such file or directory [root@holycow ~]# ls -lZd /var/log drwxr-xr-x root root system_u:object_r:var_log_t /var/log Running in enforcing mode: ~~~~~~~~~~~~~~~~~~~~~~~~~~ selinux-policy-2.6.4-49.fc7 selinux-policy-targeted-2.6.4-49.fc7 Dovecot should be allowed to create it's log file else it fails. If the bug needs to be transferred to selinux, then please do so. Thanks!
Yeah, I think I'll reassign to selinux. I'm not sure whether we should allow this configuration in the policy, though. It might be possible to configure syslog to output dovecot things to separate logfile, but I don't know whether syslog is allowed to open non-standard logfiles, either.
This is a bug caused by new funtioality in dovecot, It will be Fixed in selinux-policy-2.6.4-54.fc7.src.rpm
Dan, there's no problem with default configuration. As vikram said, he manually configured dovecot to use /var/log/dovecot.log instead of the default syslog. I'm not sure whether this kind of configuration should be supported in our selinux-policy, so I'm leaving this up to you. Regarding versions in f7 and f8, I built 1.0.7 for all fedora branches yesterday and filed an update for f7 and f8. Now it's up to them which is pushed first.
Ok I will allow it since it seems reasonable.
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.