SELinux won't let dovecot connect to postgresql (SOLVED!)

Thu Dec 3 15:51:22 UTC 2009

On 12/02/2009 06:57 PM, Roland Roberts wrote:
> Roland Roberts wrote:
>> I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
>> installed. I have a small user database set up for email authentication.
>> The issue I'm having is that when I am in enforcing mode, dovecot
>> can't connect to the database. Turning off enforcing mode lets it
>> work. I'm having trouble diagnosing where the denial is taking place
>> as I don't see any avc messages in /var/log/messages that relate to
>> dovecot. The only messages I'm getting are in /var/log/maillog from
>> dovecot like this:
>>
>> Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
>> maildb: could not connect to server: Permission denied
>> Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
>> on host "fred.flinstone.org" and accepting
>> Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
>> port 5432?
>>
>> The answer to the questions is "yes" it is running and accepting
>> connections. Whether or not enforcing mode is on, when logged in, I
>> can connect to the database via
>>
>> $ psql -h fred.flinstone.org maildb
>>
>> I *think* this is a result of updating on Nov 18. I have not changed
>> the default selinux mode since the host was set up back in September.
>> At that point, I set it to enforcing mode after working out a few
>> issues. On Nov 18, a lot of things were updated, but among there were
>>
>> Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
>> Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
>> Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
>> Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
>> Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
>> Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
>>
>> Today, I did another update, hoping it would cure the problem and got
>> these revisions
>>
>> Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
>> Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
>>
>> but the behavior is unchanged, I still have to turn off enforcing mode.
>>
>> Any clues on what I need to do to get this to work? Or where to look
>> for clues since, as I mentioned, I can't even find log entries that
>> would clue me in.
>>
>> roland
>
> Okay, here's what I finally ended up with that have me running in
> enforcing mode. I have both dovecot and exim using PostgreSQL for
> authentication. I had originally had them connecting via tcp, but
> changed them to use the unix domain socket. The policies below allow
> either.
>
> I also ran into a problem with httpd needing access to PostgreSQL since
> I'm running Drupal with PostgreSQL as the backend. And I have
> SquirrelMail running so httpd needs access to the imap/pop port. I don't
> think this is complete as I'm using the tcp port for PostgreSQL and the
> policy only allows that, not the unix domain socket (which I should
> probably configure instead). But at least I can now run in enforcing mode.
>
> 365 root> cat *.te
>
> module dovecotauthfixes 1.0;
>
> require {
> type dovecot_auth_t;
> type postgresql_port_t;
> type postgresql_tmp_t;
> type postgresql_t;
> class sock_file write;
> class tcp_socket name_connect;
> class unix_stream_socket connectto;
> }
>
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
> allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
>
> module eximfixes 1.0;
>
> require {
> type postgresql_tmp_t;
> type exim_t;
> type postgresql_t;
> class sock_file write;
> class unix_stream_socket connectto;
> }
>
> #============= exim_t ==============
> allow exim_t postgresql_t:unix_stream_socket connectto;
> allow exim_t postgresql_tmp_t:sock_file write;
>
> module httpdfixes 1.0;
>
> require {
> type postgresql_port_t;
> type httpd_t;
> type pop_port_t;
> class tcp_socket { name_bind name_connect };
> }
>
> #============= httpd_t ==============
> allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
> allow httpd_t postgresql_port_t:tcp_socket name_connect;
>
> roland
>
You can also just set the booleans

# setsebool -P httpd_can_network_connect_db=1 httpd_can_sendmail=1

Please read:

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

This explains the four things SELinux is trying to tell you.  In order 
of most common to least

1 You have a labeling problem (restorecon/semanage fcontext)
2 You have a selinux confiuration problem (booleans, semanage selinux 
settings)
3 Bug in selinux-policy or application (audit2allow -M localpolicy)
4 You have been hacked.

In the case of what you are reporting most fall into category 2.