Jan-Frode Myklebust janfrode@tanso.net writes:
On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote:
I had thought SELinux would log something, but /var/log/audit/audit.log is blank...
Are you running auditd? I believe that if you're not running auditd, the denials should be logged to the kernel ring buffer.
It seems auditd is not running and not happy to start;
,---- systemctl status auditd.service | Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) | Active: failed (Result: exit-code) since Mon, 24 Jun 2013 04:28:28 +0100; 6s ago | Process: 5139 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) | Process: 5136 ExecStart=/sbin/auditd -n (code=exited, status=6) | CGroup: name=systemd:/system/auditd.service `----
Does "dmesg" show any denials ? Nope, all it shows is turning on/off SELinux (I tried accessing the mail prior and post changing SElinux status) ,---- | [ 767.835481] type=1404 audit(1372044152.923:10): enforcing=0 old_enforcing=1 auid=1000 ses=1 | [ 777.110187] type=1404 audit(1372044162.218:11): enforcing=1 old_enforcing=0 auid=1000 ses=1 `----
Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all users maildirs below /home/user/data1/Maildir/ ?
All users maildirs are under the same location, e.g. ,---- ls -Z | drwx------. user user system_u:object_r:mnt_t:s0 mailaccountA | drwx------. user user system_u:object_r:mnt_t:s0 mailaccountB | drwx------. user user unconfined_u:object_r:mnt_t:s0 mailaccountC | drwx------. user user unconfined_u:object_r:mnt_t:s0 mailaccountD `----
If so, you can probably fix this by creating a labeling rule for this, and re-label everything below this directory:
semanage fcontext -a -t mail_spool_t "/home/user/data1/Maildir(/.*)?" restorecon -R /home/user/data1/Maildir
No luck with using this.
I will look into this more tomorrow and hopefully locate some logs.
-- Johnny