On Sun, Feb 19, 2012 at 08:12:39PM -0500, Alain Toussaint wrote:
> I did that. I rebooted into permissive mode, ran rlpkg -a -r and rebooted
> into enforcing mode. The result were the same under root and I've tried with
> my sysadm_r user but in the sysadm_r user, I could see all the permission in
> /etc but trying to start some dovecot failed because dovecot didn't had
> permission to access the /etc/dovecot directory.
Aha, we're getting somewhere then.
You indeed need to be sysadm_r to view those (all) labels. The staff_r role
(and its affiliated domains) do not have the rights to view all these
labels. That is why you see all those "??" in the "ls -Z" output.
For dovecot, you'll need to check in which domain dovecot is running. There
is a dovecot domain (dovecot_t) but your system might not run it in that
domain properly. It is also possible that the policy is not up to date with
recent dovecot development (and then needs policy updates).
At first sight, I don't see the dovecot_t domain to be capable of doing much
with dovecot_etc_t if it is a directory:
allow dovecot_t dovecot_etc_t:file read_file_perms;
Wkr,
Sven Vermeulen
