Re: SELinux won't let dovecot connect to postgresql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/29/2009 08:44 PM, Roland Roberts wrote:

On 11/29/2009 05:11 AM, Sandro Janke wrote:
Actually, you don't need to have any of the setroubleshoot packages installed to get AVC messages logged. What you need is auditd running and it will log AVC messages to /var/log/audit/audit.log
With setroubleshoot-server installed you can watch the logged messages using: 

# sealert -a /var/log/audit/audit.log
The output will be long and in the style of setroubleshoot browser, so take your measures.
Another tool - from the audit package - that can prove very useful is ausearch. It will search the audit logs for messages matching the given criteria.
But I'm not getting any messages there. And changing enforcing mode fixes the problem, so it seems like it has to be SELinux, but with no log, I can't figure out what rule needs to be changed. 




At the suggestion of Daniel Walsh, I ran

semodule -DB
then restarted dovecot and got my messages. I've used those to create policy, but can't load it.
I've configured dovecot to use a local socket connection to postgres. Here is what I for SELinux:
grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local > local.te 
328 root> cat local.te

module local 1.0;

require {
    type dovecot_auth_t;
    type unlabeled_t;
    type postgresql_tmp_t;
    class sock_file write;
    class unix_stream_socket read;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

#============= unlabeled_t ==============
allow unlabeled_t self:unix_stream_socket read;
329 root> make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/local.mod 
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod
330 root> semodule -i local.pp
libsepol.print_missing_requirements: local's global requirements were not met: type/attribute dovecot_auth_t 
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

I'm at a loss on what to do here.  Suggestions on why it would tell me this?

roland

--
		       PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD                             RL Enterprises
roland@xxxxxxxxxxx                            6818 Madeline Court
roland@xxxxxxxxxxxxx                           Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux