SELinux won't let dovecot connect to postgresql
Sandro Janke
gui1ty_fedora at penguinpee.nl
Sun Nov 29 10:11:56 UTC 2009
On 11/29/2009 06:29 AM, Roland Roberts wrote:
> Thomas Harold wrote:
>> I think that you have to have the setroubleshoot service running in
>> order to get SELinux errors in /var/log/messages.
>>
>> https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ
>
> Hmmm, I seem to have both setroubleshoot and setroubleshoot-server
> packages installed, but much of that package talks about turning on the
> setroubleshoot service; the file for that should be in
> /etc/rc.d/init.d/setroubleshoot, but I have no such file. Both packages
> verify as correct (rpm -V) and rpm -qil does not show any such file in
> the inventory. There is a file /usr/sbin/setroubleshootd which is what I
> would expect for the daemon, but no file in /etc/rc.d/init.d references
> it. Odd. And if I try to manually launch it, it runs briefly, leaves a
> zero-length log file in /var/log/setroubleshoot/setroubleshootd.log.
>
> Note that I am *not* on a X11 desktop on this host. It is a server, and
> while it has X installed, it is in run level 3.
Actually, you don't need to have any of the setroubleshoot packages
installed to get AVC messages logged. What you need is auditd running
and it will log AVC messages to /var/log/audit/audit.log
With setroubleshoot-server installed you can watch the logged messages
using:
# sealert -a /var/log/audit/audit.log
The output will be long and in the style of setroubleshoot browser, so
take your measures.
Another tool - from the audit package - that can prove very useful is
ausearch. It will search the audit logs for messages matching the given
criteria.
More information about the fedora-selinux-list
mailing list