sec-policy/selinux-dovecot lacks required permissions for dovecot to be able to start and run. Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:52): avc: denied { unlink } for pid=2837 comm="dovecot" name="stats-mail" dev="sda3" ino=6292320 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:53): avc: denied { create } for pid=2837 comm="dovecot" name="stats-mail" scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:54): avc: denied { read write } for pid=2837 comm="dovecot" name="stats-mail" dev="sda3" ino=6292159 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file Oct 26 12:36:07 iax kernel: type=1400 audit(1351276567.341:55): avc: denied { open } for pid=2837 comm="dovecot" path="/var/run/dovecot/stats-mail" dev="sda3" ino=6292159 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:dovecot_var_run_t tclass=fifo_file The following rules are needed to allow dovecot to start at boot time with SELinux enforcing allow dovecot_t dovecot_etc_t:lnk_file read_file_perms; allow dovecot_t dovecot_etc_t:dir list_dir_perms; manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
Looks like those are already in the repo upstream (and should be in the live ebuilds). The only thing I seem to have needed was to allow dovecot to write to terminals (so that the errors can be displayed).
In hardened-dev, r6 release
In main tree, ~arch'ed
r8 is now stable