Once upon a time, Daniel J Walsh <dwalsh@xxxxxxxxxx> said:
> Chris Adams wrote:
> > What is odd is that it fails when SELinux is in enforcing mode, but not
> > in permissive, BUT I don't get any errors when it fails (e.g. no
> > "denied" messages in the kernel or audit logs).
> semodule -DB
>
> will turn on all dontaudit rules.
Sorry, I should have been more specific: this is on RHEL 5, which does
not appear to have the -D option.
However, looking at the dontaudit rules with sesearch (I wasn't aware of
either dontaudit rules or the sesearch command before), I found the
problem. The top-level directory was still default_t, and there's a
"dontaudit dovecot_t default_t : dir { ioctl read gettr lock search };"
rule.
I changed that top-level directory and all is well. Thanks.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
