| 1 |
On Sun, Feb 19, 2012 at 08:12:39PM -0500, Alain Toussaint wrote: |
| 2 |
> I did that. I rebooted into permissive mode, ran rlpkg -a -r and rebooted |
| 3 |
> into enforcing mode. The result were the same under root and I've tried with |
| 4 |
> my sysadm_r user but in the sysadm_r user, I could see all the permission in |
| 5 |
> /etc but trying to start some dovecot failed because dovecot didn't had |
| 6 |
> permission to access the /etc/dovecot directory. |
| 7 |
|
| 8 |
Aha, we're getting somewhere then. |
| 9 |
|
| 10 |
You indeed need to be sysadm_r to view those (all) labels. The staff_r role |
| 11 |
(and its affiliated domains) do not have the rights to view all these |
| 12 |
labels. That is why you see all those "??" in the "ls -Z" output. |
| 13 |
|
| 14 |
For dovecot, you'll need to check in which domain dovecot is running. There |
| 15 |
is a dovecot domain (dovecot_t) but your system might not run it in that |
| 16 |
domain properly. It is also possible that the policy is not up to date with |
| 17 |
recent dovecot development (and then needs policy updates). |
| 18 |
|
| 19 |
At first sight, I don't see the dovecot_t domain to be capable of doing much |
| 20 |
with dovecot_etc_t if it is a directory: |
| 21 |
|
| 22 |
allow dovecot_t dovecot_etc_t:file read_file_perms; |
| 23 |
|
| 24 |
Wkr, |
| 25 |
Sven Vermeulen |
Archives