There is a big problem with
selinux when something configured to work in non standard way.
For me, it was the case with custom
dovecot setup when
fusefs_t goes inside of
user_home_t context. The solution, i think, works well even for another problems, it is a standard way to create custom policies.
After make sure the problem is exactly with
selinux policies, lets check the
audit.log for corresponding messages.
sealert -a /var/log/audit/audit.log
This command will output the problems, rejections selinux made. Make sure it contains only expected activity. Then, would be good idea make
permissive policy for the process, because selinux will block every next step else.
semanage permissive -a dovecot_t
As you can see it set
permissive mode for
Next step is generate a new alerts for
audit.log, i'll simple retrieve new mails, use
sieve filters and so on. When i feel everything been checked, lets create and apply custom policy based on that activity.
Lets generate policy:
audit2allow -a -M dovecot
This command will create
dovecot.pp file which contains our new dovecot policies.
Now it is tyme to apply this policy.
semodule -i dovecot.pp
The command above can take some time, applying new policies is not the fastest task, especially on very slow system.
So, now we can remove
dovecot_t domain from permissive list.
semanage permissive -d dovecot_t
To be sure we can check the permissive list does not contains the domain
semanage permissive -l | grep dovecot_t
If there is another problems, or selinux block something else, this steps can be repeated :)