SELinux won't let dovecot connect to postgresql

Bandan Das bandan.das at stratus.com
Wed Dec 2 20:44:50 UTC 2009 

On Wed, 2009-12-02 at 15:22 -0500, Roland Roberts wrote:
> On 11/29/2009 08:44 PM, Roland Roberts wrote:
> > On 11/29/2009 05:11 AM, Sandro Janke wrote:
> >> Actually, you don't need to have any of the setroubleshoot packages
> 
> >> installed to get AVC messages logged. What you need is auditd
> running 
> >> and it will log AVC messages to /var/log/audit/audit.log
> >>
> >> With setroubleshoot-server installed you can watch the logged 
> >> messages using:
> >>
> >> # sealert -a /var/log/audit/audit.log
> >>
> >> The output will be long and in the style of setroubleshoot browser,
> 
> >> so take your measures.
> >>
> >> Another tool - from the audit package - that can prove very useful
> is 
> >> ausearch. It will search the audit logs for messages matching the 
> >> given criteria.
> >
> > But I'm not getting any messages there.  And changing enforcing mode
> 
> > fixes the problem, so it seems like it has to be SELinux, but with
> no 
> > log, I can't figure out what rule needs to be changed.
> >
> >
> 
> At the suggestion of Daniel Walsh, I ran
> 
> semodule -DB
> 
> then restarted dovecot and got my messages.   I've used those to
> create 
> policy, but can't load it.
> 
> I've configured dovecot to use a local socket connection to postgres. 
> 
> Here is what I for SELinux:
> 
> grep 'Dec  2.*dovecot-auth' /var/log/messages| audit2allow -m local > 
> local.te
> 328 root> cat local.te
> 
> module local 1.0;
> 
> require {
>      type dovecot_auth_t;
>      type unlabeled_t;
>      type postgresql_tmp_t;
>      class sock_file write;
>      class unix_stream_socket read;
> }
> 
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
> 
> #============= unlabeled_t ==============
> allow unlabeled_t self:unix_stream_socket read;
> 329 root> make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 10) to 
> tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 330 root> semodule -i local.pp
> libsepol.print_missing_requirements: local's global requirements were 
> not met: type/attribute dovecot_auth_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 
> I'm at a loss on what to do here.  Suggestions on why it would tell me
> this?
I guess dovecot_auth_t should have been defined in dovecot.te. Are you
sure you have dovecot.pp loaded ? 

> roland
>

More information about the fedora-selinux-list mailing list