SELinux won't let dovecot connect to postgresql
Bandan Das
bandan.das at stratus.com
Wed Dec 2 20:44:50 UTC 2009
On Wed, 2009-12-02 at 15:22 -0500, Roland Roberts wrote:
> On 11/29/2009 08:44 PM, Roland Roberts wrote:
> > On 11/29/2009 05:11 AM, Sandro Janke wrote:
> >> Actually, you don't need to have any of the setroubleshoot packages
>
> >> installed to get AVC messages logged. What you need is auditd
> running
> >> and it will log AVC messages to /var/log/audit/audit.log
> >>
> >> With setroubleshoot-server installed you can watch the logged
> >> messages using:
> >>
> >> # sealert -a /var/log/audit/audit.log
> >>
> >> The output will be long and in the style of setroubleshoot browser,
>
> >> so take your measures.
> >>
> >> Another tool - from the audit package - that can prove very useful
> is
> >> ausearch. It will search the audit logs for messages matching the
> >> given criteria.
> >
> > But I'm not getting any messages there. And changing enforcing mode
>
> > fixes the problem, so it seems like it has to be SELinux, but with
> no
> > log, I can't figure out what rule needs to be changed.
> >
> >
>
> At the suggestion of Daniel Walsh, I ran
>
> semodule -DB
>
> then restarted dovecot and got my messages. I've used those to
> create
> policy, but can't load it.
>
> I've configured dovecot to use a local socket connection to postgres.
>
> Here is what I for SELinux:
>
> grep 'Dec 2.*dovecot-auth' /var/log/messages| audit2allow -m local >
> local.te
> 328 root> cat local.te
>
> module local 1.0;
>
> require {
> type dovecot_auth_t;
> type unlabeled_t;
> type postgresql_tmp_t;
> class sock_file write;
> class unix_stream_socket read;
> }
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
>
> #============= unlabeled_t ==============
> allow unlabeled_t self:unix_stream_socket read;
> 329 root> make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 10) to
> tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 330 root> semodule -i local.pp
> libsepol.print_missing_requirements: local's global requirements were
> not met: type/attribute dovecot_auth_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
> I'm at a loss on what to do here. Suggestions on why it would tell me
> this?
I guess dovecot_auth_t should have been defined in dovecot.te. Are you
sure you have dovecot.pp loaded ?
> roland
>
More information about the fedora-selinux-list
mailing list