courier's authlib daemon fails to start as selinux is preventing access to some files in /var/spool: type=1400 audit(1219677683.507:30): avc: denied { search } for pid=7714 comm="authdaemond" name="spool" dev=dm-0 ino=369092 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=1400 audit(1219677683.515:31): avc: denied { write } for pid=7714 comm="authdaemond" name="authdaemon" dev=dm-0 ino=368811 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=1400 audit(1219677683.515:32): avc: denied { add_name } for pid=7714 comm="authdaemond" name="socket.tmp" scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=1400 audit(1219677683.515:33): avc: denied { create } for pid=7714 comm="authdaemond" name="socket.tmp" scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file type=1400 audit(1219677683.516:34): avc: denied { setattr } for pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file type=1400 audit(1219677683.517:35): avc: denied { remove_name } for pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=1400 audit(1219677683.517:36): avc: denied { rename } for pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file 369092 is /var/spool and 368811 is /var/spool/authdaemon. So what needs to be done is probably: 1. grant courier_authdaemon_t the right to search var_spool_t 2. change /var/spool/authdaemon/* to have context courier_spool_t 3. grant courier_authdaemon_t full access to courier_spool_t
Fixed in selinux-policy-3.3.1-87.fc9.noarch
Sorry for not testing sooner, but the fix does indeed properly solve the problem. Thanks. :)