Re: dovecot wants to access squid cache dir

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Mon, 12 Mar 2007 11:03:06 -0400

Vikram Goyal wrote:
hello,

I am using FC6. Running selinux in targeted mode.

selinux-policy-targeted-2.4.6-41
dovecot-1.0-1.1.rc15.fc6

Using dovecot I get the following audit messages.
----------------------------------------------------------------
type=USER_AUTH msg=audit(1173532461.741:31): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1173532461.753:32): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=AVC msg=audit(1173532461.781:33): avc:  denied  { getattr } for  pid=14124 comm="dovecot" name="/" dev=sda6 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1173532461.781:33): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a942 a1=bfff2068 a2=a5bff4 a3=8f6a94d items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null)
type=AVC_PATH msg=audit(1173532461.781:33):  path="/usr/sbin"
type=AVC msg=audit(1173532461.785:34): avc:  denied  { getattr } for  pid=14124 comm="dovecot" name="/" dev=sda11 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1173532461.785:34): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a943 a1=bfff2068 a2=a5bff4 a3=8f6a955 items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null)
type=AVC_PATH msg=audit(1173532461.785:34):  path="/var/spool/squid"
----------------------------------------------------------------

The advice audit2allow gives me:

root@fc6host ~]# audit2allow
allow dovecot_t sbin_t:dir getattr;

I will add to next policy
allow dovecot_t squid_cache_t:dir getattr;

Probably should be dontaudited looks like dovecot is just listing /var/spool
I have allowed it for now but I'm not sure.

please advice.

Thanks!

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list