Description of problem:
Whenever I connect to our IMAPS server (RHEL 5.7 x86_64 system) from a Fedora 16 client using Kerberos auth, the server logs an avc similar to the following:

Feb  7 11:02:26 guitar kernel: type=1400 audit(1328641346.769:495): avc:  denied  { create } for  pid=16719 comm="dovecot-auth" name="krb5_RC16719aaa" scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file

(The IMAP connection succeeds however because this server is currently running SELinux in permissive mode, for unrelated reasons.)


Version-Release number of selected component (if applicable):
dovecot-1.0.7-7.el5_7.1
selinux-policy-targeted-2.4.6-316.el5


How reproducible:
Always.

Steps to Reproduce:
1. Install dovecot on the server, and an IMAP client.
2. Add both machines to the same Kerberos realm.
3. Check mail via IMAP.
  
Actual results:
The avc shown above is logged on the server.

Expected results:
No avc.

Additional info:
As a workaround, I used audit2allow to make the following custom policy module:

module local 1.0;

require {
	type dovecot_auth_t;
	type krb5_host_rcache_t;
	class file create;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t krb5_host_rcache_t:file create;

and then loaded it with
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

But for some reason the avcs continue. Is there some reason why this wouldn't work? I have other custom policy on this machine which works just fine (so I'm pretty sure I'm building and loading the module successfully ;)