Here are the AVCs when /var/tmp/imap_0 is missing: type=AVC msg=audit(1211906510.786:25453): avc: denied { write } for pid=18414 comm="dovecot-auth" name="tmp" dev=dm-4 ino=1474561 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1211906510.786:25453): avc: denied { add_name } for pid=18414 comm="dovecot-auth" name="imap_0" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1211906510.786:25453): avc: denied { create } for pid=18414 comm="dovecot-auth" name="imap_0" scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1211906510.786:25453): avc: denied { write } for pid=18414 comm="dovecot-auth" name="imap_0" dev=dm-4 ino=1474669 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file And the AVC after /var/tmp/imap_0 was created from a previous run: type=AVC msg=audit(1211906312.306:25436): avc: denied { read write } for pid=18414 comm="dovecot-auth" name="imap_0" dev=dm-4 ino=1474670 scontext=unconfined_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
What is this file and what is it's purpose?
Well my kerberos knowledge isn't great but here it goes: All kerberos services use a service principal of the form service/hostname to authenticate themselves to the applications. At startup (and every time the ticket expires) they authenticate with the kerberos server and get a new ticket which is stored in the ticket cache /var/tmp/service_uid. Here is an list of ticket caches that I have under /var/tmp from various machines -rw------- root root system_u:object_r:krb5_host_rcache_t:s0 host_0 -rw------- cyrus mail unconfined_u:object_r:cyrus_tmp_t:s0 imap_76 -rw------- root root system_u:object_r:kadmind_tmp_t:s0 kadmin_0 -rw------- root root unconfined_u:object_r:krb5kdc_tmp_t:s0 krb5kdc_rcache -rw------- ldap ldap root:object_r:slapd_tmp_t:s0 ldap_55 -rw------- root root system_u:object_r:gssd_tmp_t:s0 nfs_0 -rw------- cyrus mail system_u:object_r:cyrus_tmp_t:s0 sieve_76 -rw------- root root unconfined_u:object_r:tmp_t imap_0 Note the imap_76 (cyrus imap server which runs as cyrus by default) and imap_0 from dovecot which runs as root (if the dovecore auth process isn't running as root it might show as imap_97 as well but I haven't tried that). If pop is enabled dovecot will probably need access to pop_XX as well but I don't run pop so I can't confirm this. I hope this makes sense.
Fixed in selinux-policy-3.3.1-56.fc9