On 12/02/2009 06:57 PM, Roland Roberts wrote:
Roland Roberts wrote:
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:
Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?
The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via
$ psql -h fred.flinstone.org maildb
I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were
Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
Today, I did another update, hoping it would cure the problem and got
these revisions
Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
but the behavior is unchanged, I still have to turn off enforcing mode.
Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.
roland
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.
I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I don't
think this is complete as I'm using the tcp port for PostgreSQL and the
policy only allows that, not the unix domain socket (which I should
probably configure instead). But at least I can now run in enforcing mode.
365 root> cat *.te
module dovecotauthfixes 1.0;
require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}
#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;
module eximfixes 1.0;
require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;
module httpdfixes 1.0;
require {
type postgresql_port_t;
type httpd_t;
type pop_port_t;
class tcp_socket { name_bind name_connect };
}
#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;
roland
You can also just set the booleans
# setsebool -P httpd_can_network_connect_db=1 httpd_can_sendmail=1
Please read:
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
This explains the four things SELinux is trying to tell you. In order
of most common to least
1 You have a labeling problem (restorecon/semanage fcontext)
2 You have a selinux confiuration problem (booleans, semanage selinux
settings)
3 Bug in selinux-policy or application (audit2allow -M localpolicy)
4 You have been hacked.
In the case of what you are reporting most fall into category 2.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
