Dovecot and FC4 -> FC5 upgrade problem -> SElinux

[Daniel J Walsh]

Jouni Viikari wrote:
> I found the Dovecot problem being selinux configuration problem.  When
> trying to connect to mailserver I saw in /var/log/audit/audit.log:
>
> type=AVC msg=audit(1143334018.770:1989): avc:  denied  { getattr } for
> pid=15305 comm="imap" name="inotify" dev=inotifyfs ino=309
> scontext=user_u:system_r:dovecot_t:s0
> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
> type=AVC msg=audit(1143368097.136:5486): avc:  denied  { read } for
> pid=1758 comm="imap" name="inotify" dev=inotifyfs ino=309
> scontext=user_u:system_r:dovecot_t:s0
> tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> Doing the audit2allow; semodule thing I was able to make Dovecot work.
>
>   
This can be added to policy
> However using Webmail needed taking care of extra denial:
>
> type=AVC msg=audit(1143368466.704:5522): avc:  denied  { name_connect }
> for  pid=26894 comm="httpd" dest=143 scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
>
> Question still is what to do to make new FC5 installation like it would
> have been after fresh install instead of FC4 upgrade regarding selinux?
> Or what caused these denials?  During first boot after upgrade the
> system did automatic relabeling.
>
>   
This should not have worked on fc4 unless you had set 
httpd_can_network_connect on.
> Also how should I make loading of these manually made modules automatic
> for reboots if I have to keep these (or something similar)?
>
>   
If you install them with semodule they are permanent.  Basically 
semodule rebuilds the policy.20 file with the newly added module.  You 
can remove all of your module files from the system.  semodule -r 
modulename will remove your module.
> I could not find answers for these on otherwise excellent 
> http://danwalsh.livejournal.com/2213.html pages.  (Issues related to
> upgrade from previous FC & selinux)
>
> TIA, Jouni
>
>