SELinux won't let dovecot connect to postgresql

Roland Roberts roland at astrofoto.org
Wed Dec 2 20:22:34 UTC 2009


On 11/29/2009 08:44 PM, Roland Roberts wrote:
> On 11/29/2009 05:11 AM, Sandro Janke wrote:
>> Actually, you don't need to have any of the setroubleshoot packages 
>> installed to get AVC messages logged. What you need is auditd running 
>> and it will log AVC messages to /var/log/audit/audit.log
>>
>> With setroubleshoot-server installed you can watch the logged 
>> messages using:
>>
>> # sealert -a /var/log/audit/audit.log
>>
>> The output will be long and in the style of setroubleshoot browser, 
>> so take your measures.
>>
>> Another tool - from the audit package - that can prove very useful is 
>> ausearch. It will search the audit logs for messages matching the 
>> given criteria.
>
> But I'm not getting any messages there.  And changing enforcing mode 
> fixes the problem, so it seems like it has to be SELinux, but with no 
> log, I can't figure out what rule needs to be changed.
>
>

At the suggestion of Daniel Walsh, I ran

semodule -DB

then restarted dovecot and got my messages.   I've used those to create 
policy, but can't load it.

I've configured dovecot to use a local socket connection to postgres.  
Here is what I for SELinux:

grep 'Dec  2.*dovecot-auth' /var/log/messages| audit2allow -m local > 
local.te
328 root> cat local.te

module local 1.0;

require {
     type dovecot_auth_t;
     type unlabeled_t;
     type postgresql_tmp_t;
     class sock_file write;
     class unix_stream_socket read;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

#============= unlabeled_t ==============
allow unlabeled_t self:unix_stream_socket read;
329 root> make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to 
tmp/local.mod
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod
330 root> semodule -i local.pp
libsepol.print_missing_requirements: local's global requirements were 
not met: type/attribute dovecot_auth_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

I'm at a loss on what to do here.  Suggestions on why it would tell me this?

roland

-- 
		       PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD                             RL Enterprises
roland at rlenter.com                            6818 Madeline Court
roland at astrofoto.org                           Brooklyn, NY 11220




More information about the fedora-selinux-list mailing list