Re: Dovecot SELinux configuration

[Paul Howarth <paul city-fan org>]

On Mon, 2006-03-27 at 14:40 -0500, Adam H. Pendleton wrote:
> I am setting up dovecot with postgresql for virtual users, but when I 
> configure dovecot to talk to postgresql, SELinux denies the TCP connection:
> 
> Mar 27 14:25:53 aragorn kernel: audit(1143487553.158:4): avc:  denied  { 
> name_connect } for  pid=2909 comm="dovecot-auth" dest=5432 
> scontext=user_u:system_r:dovecot_auth_t:s0 
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> Mar 27 14:26:53 aragorn kernel: audit(1143487613.737:5): avc:  denied  { 
> name_connect } for  pid=2939 comm="dovecot-auth" dest=5432 
> scontext=user_u:system_r:dovecot_auth_t:s0 
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> 
> Okay, so while I understand that SELinux is preventing dovecot from 
> making a connection to the postgresql tcp port, I don't really 
> understand what the "correct" way to fix it is.  I don't want to turn 
> off SELinux enforcement, but I also don't want to open up more than I 
> should trying to fix it.  What's the best way to allow this connection?

To fix small SELinux issues like this, you can create a local policy
module to allow the specific connection:

http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow

However, given that this is something quite a lot of people would like
to do, I'd also suggest raising a bugzilla ticket on the SELinux polcy
you're using once you've got it working. Attach your module to the
ticket.

(this is for FC5 by the way; things are different for older distros)

Paul.