SELinux Blocking LDAP Connections

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 29 12:18:24 UTC 2005


On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote:
> Does anybody know of any problems with the new SELinux installed in 
> Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it for my user 
> accounts. Fedora (throught the system-auth PAM module and nsswitch) will 
> log in correctly, but dovecot (version 0.99.14-4.fc4) and apache 
> (version 2.0.54-10) cannot connect to the ldap server when SELinux is 
> enabled. I use dovecot-ldap.conf for dovecot to get the users and their 
> home directories. In Apache, I use basic authentication through LDAP to 
> protect a WebDAV accessible folder. For a long time, I thought Dovecot 
> wasn't working correctly, but after I set up Apache and it too didn't 
> work with OpenLDAP, I came to think that SELinux is blocking something. 
> Now the problem is I am not well enough informed about SELinux to be 
> able to debug where the problem may reside.
> 
> This is the message I get in /var/log/maillog when SELinux is enabled:
>     Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() failed: 
> Can't contact LDAP server
> 
> And this is the error I get in /etc/httpd/logs/mydomain.com-error_log
>     [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962] 
> auth_ldap authenticate: user myuser authentication failed; URI 
> /calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
> 
> I can get you SELinux contexts for certain files if you need them, but I 
> don't have a clue on which ones to include.

Look in /var/log/audit/audit.log, particularly for messages with the
type=AVC prefix.  SELinux permission denials are now logged there by the
audit daemon (previously they would go to /var/log/messages).  And
report them to fedora-selinux-list.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-list mailing list