FC5 services that will not start

Paul Howarth paul at city-fan.org
Mon Jun 26 16:20:23 UTC 2006 

Chris Jones wrote:
> Paul Howarth wrote:
>> Chris Jones wrote:
>>> Paul Howarth wrote:
>>>> Chris Jones wrote:
>>>>> Paul Howarth wrote:
>>>>>> On Sun, 2006-06-25 at 23:16 +0100, Chris Jones wrote:
>>>>>>  
>>>>>>> I am using FC5 on a generic Athlon x64 PC. I am having problems 
>>>>>>> with several services.
>>>>>>>
>>>>>>> 1. Dovecot refuses to start. When I attempt to start the service 
>>>>>>> I get a message in /var/log/messages as follows:
>>>>>>> Jun 25 23:05:38 bilbo kernel: audit(1151273138.255:415): avc:  
>>>>>>> denied  { create } for  pid=1480 comm="dovecot" 
>>>>>>> scontext=user_u:system_r:dovecot_t:s0 
>>>>>>> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
>>>>>>>
>>>>>>> Can anyone here give me a hint on what I need to do to get this 
>>>>>>> working? >From the log message, this seems to be something to do 
>>>>>>> with selinux.
>>>>>>>     
>>>>>>
>>>>>> Indeed it is. Some more diagnostic info would be useful. Can you post
>>>>>> the output of:
>>>>>>
>>>>>> # ausearch -a 415
>>>>>>   
>>>>> produces the output >
>>>>> [root at bilbo network-scripts]# ausearch -a 415
>>>>> -bash: ausearch: command not found
>>>>>
>>>>> Clearly, I am missing this application. Where should it be? Which RPM?
>>>>
>>>> It's in the "audit" package.
>>>>
>>> Now when I run this, I get the following response:>
>>> [root at bilbo network-scripts]# ausearch -a 415
>>> <no matches>
>>
>> Have you rebooted since the error happened?
>>
>> Try this instead:
>>
>> # fgrep 1151273138.255:415 /var/log/messages
>>
> Results in:
> Jun 25 23:05:38 bilbo kernel: audit(1151273138.255:415): avc:  denied  { 
> create } for  pid=1480 comm="dovecot" 
> scontext=user_u:system_r:dovecot_t:s0 
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> 
> Which is the last time I tried to start dovecot yesterday.
> 
> Having started the auditd service and then tried to start dovecot, I see 
> the following in the audit log file:>
> type=AVC msg=audit(1151335194.177:97): avc:  denied  { create } for  
> pid=7668 comm="dovecot" scontext=user_u:system_r:dovecot_t:s0 
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> type=SYSCALL msg=audit(1151335194.177:97): arch=c000003e syscall=41 
> success=no exit=-13 a0=0 a1=1 a2=0 a3=521040 items=0 pid=7668 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> comm="dovecot" exe="/usr/sbin/dovecot"
> type=AVC msg=audit(1151335246.188:98): avc:  denied  { create } for  
> pid=7682 comm="dovecot" scontext=user_u:system_r:dovecot_t:s0 
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> type=SYSCALL msg=audit(1151335246.188:98): arch=c000003e syscall=41 
> success=no exit=-13 a0=0 a1=1 a2=0 a3=521040 items=0 pid=7682 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> comm="dovecot" exe="/usr/sbin/dovecot"
> 
> and a call to ausearch -a 98 gives:>
> [root at bilbo audit]# ausearch -a 98
> ----
> time->Mon Jun 26 16:20:46 2006
> type=SYSCALL msg=audit(1151335246.188:98): arch=c000003e syscall=41 
> success=no exit=-13 a0=0 a1=1 a2=0 a3=521040 items=0 pid=7682 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
> comm="dovecot" exe="/usr/sbin/dovecot"
> type=AVC msg=audit(1151335246.188:98): avc:  denied  { create } for  
> pid=7682 comm="dovecot" scontext=user_u:system_r:dovecot_t:s0 
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> [root at bilbo audit]#

Well you're doing something that's not currently in the dovecot policy. 
Are you doing anything "unusual" in your dovecot.conf?

I'm got a pretty "vanilla" setup, which doesn't need any SELinux tweaking:

# grep '^ *[^ #]' /etc/dovecot.conf
protocols = imap imaps
ssl_cert_file = /etc/pki/tls/certs/city-fan-imap.crt
ssl_key_file = /etc/pki/tls/certs/city-fan-imap.key
default_mail_env = maildir:%h/mail/inbox
maildir_copy_with_hardlinks = yes
protocol imap {
   listen = 127.0.0.1
   ssl_listen = *
}
protocol pop3 {
   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
   postmaster_address = postmaster at example.com
}
auth default {
   mechanisms = plain
   passdb pam {
   }
   userdb passwd {
   }
   user = root
}
plugin {
}

It's pretty easy to fix the issue you're having in FC5, but I'd like to 
understand it first...

Paul.

More information about the fedora-list mailing list