SELinux won't let dovecot connect to postgresql

Daniel J Walsh dwalsh at redhat.com
Wed Dec 2 21:37:19 UTC 2009 

On 12/02/2009 03:22 PM, Roland Roberts wrote:
> On 11/29/2009 08:44 PM, Roland Roberts wrote:
>> On 11/29/2009 05:11 AM, Sandro Janke wrote:
>>> Actually, you don't need to have any of the setroubleshoot packages
>>> installed to get AVC messages logged. What you need is auditd running
>>> and it will log AVC messages to /var/log/audit/audit.log
>>>
>>> With setroubleshoot-server installed you can watch the logged
>>> messages using:
>>>
>>> # sealert -a /var/log/audit/audit.log
>>>
>>> The output will be long and in the style of setroubleshoot browser,
>>> so take your measures.
>>>
>>> Another tool - from the audit package - that can prove very useful is
>>> ausearch. It will search the audit logs for messages matching the
>>> given criteria.
>>
>> But I'm not getting any messages there.  And changing enforcing mode
>> fixes the problem, so it seems like it has to be SELinux, but with no
>> log, I can't figure out what rule needs to be changed.
>>
>>
> 
> At the suggestion of Daniel Walsh, I ran
> 
> semodule -DB
> 
> then restarted dovecot and got my messages.   I've used those to create
> policy, but can't load it.
> 
> I've configured dovecot to use a local socket connection to postgres. 
> Here is what I for SELinux:
> 
> grep 'Dec  2.*dovecot-auth' /var/log/messages| audit2allow -m local >
> local.te
> 328 root> cat local.te
> 
> module local 1.0;
> 
> require {
>     type dovecot_auth_t;
>     type unlabeled_t;
>     type postgresql_tmp_t;
>     class sock_file write;
>     class unix_stream_socket read;
> }
> 
> #============= dovecot_auth_t ==============
> allow dovecot_auth_t postgresql_tmp_t:sock_file write;
> 
> #============= unlabeled_t ==============
> allow unlabeled_t self:unix_stream_socket read;
> 329 root> make -f /usr/share/selinux/devel/Makefile local.pp
> Compiling targeted local module
> /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 10) to
> tmp/local.mod
> Creating targeted local.pp policy package
> rm tmp/local.mod.fc tmp/local.mod
> 330 root> semodule -i local.pp
> libsepol.print_missing_requirements: local's global requirements were
> not met: type/attribute dovecot_auth_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 
> I'm at a loss on what to do here.  Suggestions on why it would tell me
> this?
> 
> roland
> 
Did you replace the dovecot.pp when you first tried this?

More information about the fedora-selinux-list mailing list