1 |
On Sun, Feb 19, 2012 at 08:12:39PM -0500, Alain Toussaint wrote: |
2 |
> I did that. I rebooted into permissive mode, ran rlpkg -a -r and rebooted |
3 |
> into enforcing mode. The result were the same under root and I've tried with |
4 |
> my sysadm_r user but in the sysadm_r user, I could see all the permission in |
5 |
> /etc but trying to start some dovecot failed because dovecot didn't had |
6 |
> permission to access the /etc/dovecot directory. |
7 |
|
8 |
Aha, we're getting somewhere then. |
9 |
|
10 |
You indeed need to be sysadm_r to view those (all) labels. The staff_r role |
11 |
(and its affiliated domains) do not have the rights to view all these |
12 |
labels. That is why you see all those "??" in the "ls -Z" output. |
13 |
|
14 |
For dovecot, you'll need to check in which domain dovecot is running. There |
15 |
is a dovecot domain (dovecot_t) but your system might not run it in that |
16 |
domain properly. It is also possible that the policy is not up to date with |
17 |
recent dovecot development (and then needs policy updates). |
18 |
|
19 |
At first sight, I don't see the dovecot_t domain to be capable of doing much |
20 |
with dovecot_etc_t if it is a directory: |
21 |
|
22 |
allow dovecot_t dovecot_etc_t:file read_file_perms; |
23 |
|
24 |
Wkr, |
25 |
Sven Vermeulen |