Sorry, I know this isn't fedora (CentOS 5 actually) but I believe this
may be a more generic situation.

I recently was trying to troubleshoot an issue where a process spawned
off under the dovecot_t process type and needed to create files under /tmp
(tmp_t).

This wasn't obvious as there where no denial messages in audit for
tmp_t.  Even using "semodule -DB" didn't show denial messages.  All I
knew was the process was trying to read/write files and was getting
access denied.  I just didn't know where or why.

Eventually an strace on the process tree showed the access attempt to
/tmp.  Since I knew policy would be required to create tmp types I went
ahead and added tmp file transitions and appropriate supporting
permissions around the new dovecot_tmp_t type.  This fixed the problem.

What is surprising to me is that there were no denial messages related
to tmp_t or dovecot_t.  Nothing, regardless of permissive vs enforcing,
or semodule -DB set.

Any clue as to why this wouldn't trigger a log message?

This is a strict, not targeted policy, yes I know very old school.

Thanks,
David

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux