SELinux Blocking LDAP Connections

Justin Willmert justin at
Wed Jun 29 17:24:22 UTC 2005

Stephen Smalley wrote:

>On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote:
>>Does anybody know of any problems with the new SELinux installed in 
>>Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it for my user 
>>accounts. Fedora (throught the system-auth PAM module and nsswitch) will 
>>log in correctly, but dovecot (version 0.99.14-4.fc4) and apache 
>>(version 2.0.54-10) cannot connect to the ldap server when SELinux is 
>>enabled. I use dovecot-ldap.conf for dovecot to get the users and their 
>>home directories. In Apache, I use basic authentication through LDAP to 
>>protect a WebDAV accessible folder. For a long time, I thought Dovecot 
>>wasn't working correctly, but after I set up Apache and it too didn't 
>>work with OpenLDAP, I came to think that SELinux is blocking something. 
>>Now the problem is I am not well enough informed about SELinux to be 
>>able to debug where the problem may reside.
>>This is the message I get in /var/log/maillog when SELinux is enabled:
>>    Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() failed: 
>>Can't contact LDAP server
>>And this is the error I get in /etc/httpd/logs/
>>    [Tue Jun 28 17:21:37 2005] [warn] [client] [5962] 
>>auth_ldap authenticate: user myuser authentication failed; URI 
>>/calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
>>I can get you SELinux contexts for certain files if you need them, but I 
>>don't have a clue on which ones to include.
>Look in /var/log/audit/audit.log, particularly for messages with the
>type=AVC prefix.  SELinux permission denials are now logged there by the
>audit daemon (previously they would go to /var/log/messages).  And
>report them to fedora-selinux-list.
Ok. I've been told (as you can see above) to report this problem to this 
list instead of fedora-list (Just used a mailing list for the first time 
yesterday, so I'm still learning about them). As you can see above, I'm 
having a problem with SELinux and Dovecot and Apache. After looking 
through my audit.log file, these are the lines I thought were most 

This is what I found concerning apache:

    type=AVC msg=audit(1119048563.037:3670666): avc:  denied  {
    name_connect } for pid=6051 comm="httpd" dest=389   
    tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
    type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19
    a1=8347e80 a2=10
    type=SOCKADDR msg=audit(1119048563.054:3670776):
    type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003
    syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19
    items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0
    egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"

And this is what I found concerning Dovecot:

    type=AVC msg=audit(1119053800.290:1566630): avc:  denied  { read }
    for  pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345
    scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t
    type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev"
    inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00
    type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003
    syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0
    items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
    egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot"
    type=AVC msg=audit(1119053800.291:1566631): avc:  denied  { write }
    for  pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534
    scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t
    type=PATH msg=audit(1119053900.137:1641147): item=0
    name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0

Both of these sets were repeated multiple times throughout the log.

Justin Willmert

More information about the fedora-selinux-list mailing list