Description of problem: Not sure if it's related to this particular issue; but I have dovecot configured to get user information from LDAP and use Kerberos for authentication. SELinux is preventing /usr/libexec/dovecot/auth from 'read' accesses on the file /etc/selinux/targeted/contexts/files/file_contexts. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that auth should be allowed read access on the file_contexts file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep auth /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dovecot_auth_t:s0 Target Context unconfined_u:object_r:file_context_t:s0 Target Objects /etc/selinux/targeted/contexts/files/file_contexts [ file ] Source auth Source Path /usr/libexec/dovecot/auth Port <Unknown> Host (removed) Source RPM Packages dovecot-2.1.15-1.fc18.x86_64 Target RPM Packages selinux-policy-targeted-3.11.1-87.fc18.noarch Policy RPM selinux-policy-3.11.1-87.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.8.6-203.fc18.x86_64 #1 SMP Tue Apr 9 19:33:01 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-04-14 15:06:29 EDT Last Seen 2013-04-14 15:06:29 EDT Local ID a0906172-736b-475f-9179-a7146cf049fc Raw Audit Messages type=AVC msg=audit(1365966389.155:659): avc: denied { read } for pid=8505 comm="auth" name="file_contexts" dev="sda4" ino=2885702 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1365966389.155:659): avc: denied { open } for pid=8505 comm="auth" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="sda4" ino=2885702 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=SYSCALL msg=audit(1365966389.155:659): arch=x86_64 syscall=open success=yes exit=EXDEV a0=8eb310 a1=0 a2=1b6 a3=238 items=0 ppid=934 pid=8505 auid=4294967295 uid=97 gid=97 euid=97 suid=97 fsuid=97 egid=97 sgid=97 fsgid=97 ses=4294967295 tty=(none) comm=auth exe=/usr/libexec/dovecot/auth subj=system_u:system_r:dovecot_auth_t:s0 key=(null) Hash: auth,dovecot_auth_t,file_context_t,file,read audit2allow #============= dovecot_auth_t ============== allow dovecot_auth_t file_context_t:file { read open }; audit2allow -R require { type dovecot_auth_t; } #============= dovecot_auth_t ============== seutil_read_file_contexts(dovecot_auth_t) Additional info: hashmarkername: setroubleshoot kernel: 3.8.6-203.fc18.x86_64 type: libreport
0675b534ded23a3667eaccc15b8ea0c46cb62038 fixes this in git.
selinux-policy-3.11.1-91.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-91.fc18
Package selinux-policy-3.11.1-91.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-91.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6018/selinux-policy-3.11.1-91.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-91.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.