I've had to set my mail server to permissive mode because the targeted policy is preventing dovecot's IMAPS server from reading or writing files under ~/Maildir on a NFS mounted home. Postfix seems to be able to put them there without generating warnings. I set use_nfs_home_dirs=1 and restarted the server but no luck. <kal@willow:~> getsebool -a | grep nfs allow_ftpd_use_nfs --> off allow_nfsd_anon_write --> off httpd_use_nfs --> off nfs_export_all_ro --> on nfs_export_all_rw --> on samba_share_nfs --> off use_nfs_home_dirs --> on xen_use_nfs --> off <kal@willow:~> Additional Information: Source Context unconfined_u:system_r:dovecot_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects ./dovecot.index.tmp [ file ] Source imap Source Path /usr/libexec/dovecot/imap Port <Unknown> Host willow.finexium.com Source RPM Packages dovecot-1.0.13-6.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-93.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name use_nfs_home_dirs Host Name willow.finexium.com Platform Linux willow.finexium.com 2.6.24.3-50.fc8 #1 SMP Thu Mar 20 13:39:08 EDT 2008 x86_64 x86_64 Alert Count 32 First Seen Tue Apr 1 17:19:44 2008 Last Seen Thu Apr 3 13:30:12 2008 Local ID e7cffb6f-1538-4570-88e7-b8fd33b35e8b Line Numbers Raw Audit Messages host=willow.finexium.com type=AVC msg=audit(1207189812.600:7765): avc: denied { rename } for pid=24562 comm="imap" name="dovecot.index.tmp" dev=0:11 ino=1284039 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file host=willow.finexium.com type=SYSCALL msg=audit(1207189812.600:7765): arch=c000003e syscall=82 success=yes exit=0 a0=6c5f00 a1=6c2720 a2=33 a3=0 items=0 ppid=7444 pid=24562 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Fixed in selinux-policy-3.0.8-98.fc8
Thanks for the prompt response :-). I just installed selinux-policy-3.0.8-98.fc8 from updates-testing. Restarted dovecot. I'm still get what looks like more or less the same error. Do I need to reboot the server or change some contexts? ---- Source Context unconfined_u:system_r:dovecot_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects ./1207881004.P25707Q1.willow.finexium.com:2,a [ file ] Source imap Source Path /usr/libexec/dovecot/imap Port <Unknown> Host willow.finexium.com Source RPM Packages dovecot-1.0.13-6.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-98.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name use_nfs_home_dirs Host Name willow.finexium.com Platform Linux willow.finexium.com 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Fri Apr 11 12:33:40 2008 Last Seen Fri Apr 11 12:33:40 2008 Local ID 9e6e8a4e-c3f2-4567-8dff-184ace095b56 Line Numbers Raw Audit Messages host=willow.finexium.com type=AVC msg=audit(1207881220.66:20717): avc: denied { rename } for pid=28086 comm="imap" name="1207881004.P25707Q1.willow.finexium.com:2,a" dev=0:17 ino=1278217 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file host=willow.finexium.com type=SYSCALL msg=audit(1207881220.66:20717): arch=c000003e syscall=82 success=yes exit=0 a0=698788 a1=6989f8 a2=75e0 a3=78656e69662e776f items=0 ppid=28076 pid=28086 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="imap" exe="/usr/libexec/dovecot/imap" subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
Doh! <Kal slaps forehead in acknowledgment of stupidity> I just installed selinux-policy-targeted.noarch 0:3.0.8-98.fc8 as well and it appears to solve the problem :-) Great work Daniel! Your efforts at keeping the Fedora community secure are greatly appreciated. Must buy you a beer next time you are in Port Melbourne. Cheers! Kal