Jouni Viikari wrote:
I found the Dovecot problem being selinux configuration problem. When
trying to connect to mailserver I saw in /var/log/audit/audit.log:
type=AVC msg=audit(1143334018.770:1989): avc: denied { getattr } for
pid=15305 comm="imap" name="inotify" dev=inotifyfs ino=309
scontext=user_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=AVC msg=audit(1143368097.136:5486): avc: denied { read } for
pid=1758 comm="imap" name="inotify" dev=inotifyfs ino=309
scontext=user_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
Doing the audit2allow; semodule thing I was able to make Dovecot work.
This can be added to policy
However using Webmail needed taking care of extra denial:
type=AVC msg=audit(1143368466.704:5522): avc: denied { name_connect }
for pid=26894 comm="httpd" dest=143 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
Question still is what to do to make new FC5 installation like it would
have been after fresh install instead of FC4 upgrade regarding selinux?
Or what caused these denials? During first boot after upgrade the
system did automatic relabeling.
This should not have worked on fc4 unless you had set
httpd_can_network_connect on.
Also how should I make loading of these manually made modules automatic
for reboots if I have to keep these (or something similar)?
If you install them with semodule they are permanent. Basically
semodule rebuilds the policy.20 file with the newly added module. You
can remove all of your module files from the system. semodule -r
modulename will remove your module.
I could not find answers for these on otherwise excellent
http://danwalsh.livejournal.com/2213.html pages. (Issues related to
upgrade from previous FC & selinux)
TIA, Jouni
