SELinux won't let dovecot connect to postgresql (SOLVED!)
Roland Roberts
roland at astrofoto.org
Fri Dec 4 04:53:37 UTC 2009
On 12/02/2009 06:57 PM, Roland Roberts wrote:
> Okay, here's what I finally ended up with that have me running in
> enforcing mode. I have both dovecot and exim using PostgreSQL for
> authentication. I had originally had them connecting via tcp, but
> changed them to use the unix domain socket. The policies below allow
> either.
>
> [...]
> module eximfixes 1.0;
>
> require {
> type postgresql_tmp_t;
> type exim_t;
> type postgresql_t;
> class sock_file write;
> class unix_stream_socket connectto;
> }
>
> #============= exim_t ==============
> allow exim_t postgresql_t:unix_stream_socket connectto;
> allow exim_t postgresql_tmp_t:sock_file write;
>
> module httpdfixes 1.0;
>
> require {
> type postgresql_port_t;
> type httpd_t;
> type pop_port_t;
> class tcp_socket { name_bind name_connect };
> }
>
> #============= httpd_t ==============
> allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
> allow httpd_t postgresql_port_t:tcp_socket name_connect;
The above are not actually necessary; only the dovecot fix was needed.
Daniel Walsh pointed out that there were booleans I could set for the
other problems, namely
# setsebool -P httpd_can_network_connect_db=1 httpd_can_sendmail=1
exim_can_connect_db=1
replaces all of the above.
roland
--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland at rlenter.com 6818 Madeline Court
roland at astrofoto.org Brooklyn, NY 11220
More information about the fedora-selinux-list
mailing list