SELinux won't let dovecot connect to postgresql (SOLVED!)

Roland Roberts roland at astrofoto.org
Wed Dec 2 23:57:51 UTC 2009 

Roland Roberts wrote:
> I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs 
> installed.  I have a small user database set up for email authentication.
> The issue I'm having is that when I am in enforcing mode, dovecot 
> can't connect to the database.  Turning off enforcing mode lets it 
> work.  I'm having trouble diagnosing where the denial is taking place 
> as I don't see any avc messages in /var/log/messages that relate to 
> dovecot.  The only messages I'm getting are in /var/log/maillog from 
> dovecot like this:
>
> Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to 
> maildb: could not connect to server: Permission denied
> Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running 
> on host "fred.flinstone.org" and accepting
> Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on 
> port 5432?
>
> The answer to the questions is "yes" it is running and accepting 
> connections.  Whether or not enforcing mode is on, when logged in, I 
> can connect to the database via
>
> $ psql -h fred.flinstone.org maildb
>
> I *think* this is a result of updating on Nov 18.  I have not changed 
> the default selinux mode since the host was set up back in September.  
> At that point, I set it to enforcing mode after working out a few 
> issues.  On Nov 18, a lot of things were updated, but among there were
>
> Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
> Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
> Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
> Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
> Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
> Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
>
> Today, I did another update, hoping it would cure the problem and got 
> these revisions
>
> Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
> Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
>
> but the behavior is unchanged, I still have to turn off enforcing mode.
>
> Any clues on what I need to do to get this to work?  Or where to look 
> for clues since, as I mentioned, I can't even find log entries that 
> would clue me in.
>
> roland

Okay, here's what I finally ended up with that have me running in 
enforcing mode.  I have  both dovecot and exim using PostgreSQL for 
authentication.  I had originally had them connecting via tcp, but 
changed them to use the unix domain socket.  The policies below allow 
either.

I also ran into a problem with httpd needing access to PostgreSQL since 
I'm running Drupal with PostgreSQL as the backend.  And I have 
SquirrelMail running so httpd needs access to the imap/pop port.  I 
don't think this is complete as I'm using the tcp port for PostgreSQL 
and the policy only allows that, not the unix domain socket (which I 
should probably configure instead).  But at least I can now run in 
enforcing mode.

365 root> cat *.te

module dovecotauthfixes 1.0;

require {
        type dovecot_auth_t;
        type postgresql_port_t;
        type postgresql_tmp_t;
        type postgresql_t;
        class sock_file write;
        class tcp_socket name_connect;
        class unix_stream_socket connectto;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

module eximfixes 1.0;

require {
        type postgresql_tmp_t;
        type exim_t;
        type postgresql_t;
        class sock_file write;
        class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;

module httpdfixes 1.0;

require {
        type postgresql_port_t;
        type httpd_t;
        type pop_port_t;
        class tcp_socket { name_bind name_connect };
}

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;

roland

-- 
		       PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD                             RL Enterprises
roland at rlenter.com                            6818 Madeline Court
roland at astrofoto.org                           Brooklyn, NY 11220

More information about the fedora-selinux-list mailing list