On 11/28/2009 11:35 PM, Roland Roberts wrote:
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email
authentication. The issue I'm having is that when I am in enforcing
mode, dovecot can't connect to the database. Turning off enforcing
mode lets it work. I'm having trouble diagnosing where the denial is
taking place as I don't see any avc messages in /var/log/messages
that relate to dovecot. The only messages I'm getting are in
/var/log/maillog from dovecot like this
I think that you have to have the setroubleshoot service running in
order to get SELinux errors in /var/log/messages.
https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ
Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.
First step is to look in /var/log/messages for "sealert" lines (assuming
that the setroubleshoot service is running). The meat of the details of
the denial will be in /var/log/audit/audit.log.
# egrep "(dovecot|postgres)" /var/log/audit/audit* | audit2allow
It'll probably spit out something like:
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
Depending on what database server you are running, of course.
You'll want to set your system to "permissive" and let SELinux gather
messages in the audit.log. Then you can run audit2allow once, check its
suggestions, and then create and apply a new policy.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
