Jan-Frode Myklebust <janfr...@tanso.net> writes: > On Sun, Jun 23, 2013 at 04:21:17PM +0100, Johnny wrote: >> >> I had thought SELinux would log something, but /var/log/audit/audit.log >> is blank... > > Are you running auditd? I believe that if you're not running auditd, the > denials should be logged to the kernel ring buffer.
It seems auditd is not running and not happy to start; ,---- systemctl status auditd.service | Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) | Active: failed (Result: exit-code) since Mon, 24 Jun 2013 04:28:28 +0100; 6s ago | Process: 5139 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) | Process: 5136 ExecStart=/sbin/auditd -n (code=exited, status=6) | CGroup: name=systemd:/system/auditd.service `---- > Does "dmesg" show any denials ? Nope, all it shows is turning on/off SELinux (I tried accessing the mail prior and post changing SElinux status) ,---- | [ 767.835481] type=1404 audit(1372044152.923:10): enforcing=0 old_enforcing=1 auid=1000 ses=1 | [ 777.110187] type=1404 audit(1372044162.218:11): enforcing=1 old_enforcing=0 auid=1000 ses=1 `---- > Likely dovecot doesn't have access user_home_dir_t/user_home_t. Is all > users maildirs below /home/user/data1/Maildir/ ? All users maildirs are under the same location, e.g. ,---- ls -Z | drwx------. user user system_u:object_r:mnt_t:s0 mailaccountA | drwx------. user user system_u:object_r:mnt_t:s0 mailaccountB | drwx------. user user unconfined_u:object_r:mnt_t:s0 mailaccountC | drwx------. user user unconfined_u:object_r:mnt_t:s0 mailaccountD `---- > If so, you can probably fix this by creating a labeling rule for this, > and re-label everything below this directory: > > semanage fcontext -a -t mail_spool_t "/home/user/data1/Maildir(/.*)?" > restorecon -R /home/user/data1/Maildir No luck with using this. I will look into this more tomorrow and hopefully locate some logs. -- Johnny
