SELinux won't let dovecot connect to postgresql
Thomas Harold
thomas-lists at nybeta.com
Sun Nov 29 05:11:28 UTC 2009
On 11/28/2009 11:35 PM, Roland Roberts wrote:
> I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
> installed. I have a small user database set up for email
> authentication. The issue I'm having is that when I am in enforcing
> mode, dovecot can't connect to the database. Turning off enforcing
> mode lets it work. I'm having trouble diagnosing where the denial is
> taking place as I don't see any avc messages in /var/log/messages
> that relate to dovecot. The only messages I'm getting are in
> /var/log/maillog from dovecot like this
I think that you have to have the setroubleshoot service running in
order to get SELinux errors in /var/log/messages.
https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ
> Any clues on what I need to do to get this to work? Or where to look
> for clues since, as I mentioned, I can't even find log entries that
> would clue me in.
First step is to look in /var/log/messages for "sealert" lines (assuming
that the setroubleshoot service is running). The meat of the details of
the denial will be in /var/log/audit/audit.log.
# egrep "(dovecot|postgres)" /var/log/audit/audit* | audit2allow
It'll probably spit out something like:
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
Depending on what database server you are running, of course.
You'll want to set your system to "permissive" and let SELinux gather
messages in the audit.log. Then you can run audit2allow once, check its
suggestions, and then create and apply a new policy.
More information about the fedora-selinux-list
mailing list