SELinux won't let dovecot connect to postgresql

Eric Paris eparis at redhat.com
Mon Nov 30 02:27:24 UTC 2009


On Sun, 2009-11-29 at 20:46 -0500, Roland Roberts wrote:
> On 11/29/2009 05:18 AM, Justin P. Mattock wrote:
> > In my case I normaly just do:
> > audit2allow -d > to_the_allow_rules
> > audit2allow -i /var/log/*(and the rest of
> > the log messages havng any left over avc's
> > to define into the policy);
> 
> Guys, you're driving me crazy :-/  I can't *find* a log entry to fix.  
> There's nothing where it's supposed to be.  So...if you agree that that 
> looks like a bug, I'll just go on and file a bug.  Otherwise I'm really 
> stuck.

I see that my F12 policy has a rule that allows dovecot_t to talk to
postgresql_port_t.  Not certain if it is controlled by a boolean which
is toggled wrong on your system or if you are having some other problem,
so lets start by seeing the actual avc denial.

AVCs can end up either in /var/log/messages or /var/log/audit/audit.log
(depending on the system setup.) Also in permissive move denials are
only logged one time.  So you won't see a denial every time it ~would~
have triggered.  To flush the selinux cache I typically suggest you set
the system enforcing and back permissive quickly.  So lets do these
steps.

setenforce 1
setenforce 0
reproduce problem (or what would be a problem)
grep -i avc /var/log/messages
grep -i avc /var/log/audit/audit.log

If both of those come up blank you likely are hitting a problem that is
being 'dontaudit'  I believe you said F11 (if not and it is old enough
to not understand semodule -DB let me know as there are other ways to do
this on older systems)?  If so do these steps

semodule -DB
setenforce 1
setenforce 0
reproduce problem (or what would be a problem)
grep -i avc /var/log/messages /var/log/audit/audit.log
semodule -B

Let us know the output this time.  Hopefully we can get to the bottom of
this.

-Eric




More information about the fedora-selinux-list mailing list