Since an update from dovecot-1.2.9 to dovecot-1.2.10 I'm getting this denial on start of the daemon. Dovecot wants to create a symlink in /var/run/dovecot since this upstream change: http://hg.dovecot.org/dovecot-1.2/rev/142c935e44d6 Souhrn: SELinux is preventing /usr/sbin/dovecot "create" access on dovecot.conf. Podrobný popis: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by dovecot. It is not expected that this access is required by dovecot and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje unconfined_u:system_r:dovecot_t:s0 Kontext cíle unconfined_u:object_r:dovecot_var_run_t:s0 Objekty cíle dovecot.conf [ lnk_file ] Zdroj dovecot Cesta zdroje /usr/sbin/dovecot Port <Neznámé> Počítač (removed) RPM balíčky zdroje dovecot-1.2.10-1.fc12 RPM balíčky cíle RPM politiky selinux-policy-3.6.32-73.fc12 Selinux povolen True Typ politiky targeted Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.32.6-36.fc12.x86_64 #1 SMP Mon Jan 25 22:41:54 UTC 2010 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Čt 28. leden 2010, 10:42:25 CET Naposledy viděno Čt 28. leden 2010, 10:43:34 CET Místní ID 2fab3752-3d51-4dfe-afe7-708469612ccb Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1264671814.489:24034): avc: denied { create } for pid=6455 comm="dovecot" name="dovecot.conf" scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:dovecot_var_run_t:s0 tclass=lnk_file node=(removed) type=SYSCALL msg=audit(1264671814.489:24034): arch=c000003e syscall=88 success=yes exit=0 a0=423c55 a1=6eb1a0 a2=2 a3=7fffc3ea6660 items=0 ppid=1 pid=6455 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-73.fc12,catchall,dovecot,dovecot_t,dovecot_var_run_t,lnk_file,create audit2allow suggests: #============= dovecot_t ============== allow dovecot_t dovecot_var_run_t:lnk_file create;
Note that on shutdown dovecot will also require the "unlink" permission to remove the symlink.
Fixed in selinux-policy-3.6.32-78.fc12 selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.