SELinux won't let dovecot connect to postgresql
Justin P. Mattock
justinmattock at gmail.com
Sun Nov 29 05:05:36 UTC 2009
On 11/28/09 20:35, Roland Roberts wrote:
> I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
> installed. I have a small user database set up for email authentication.
> The issue I'm having is that when I am in enforcing mode, dovecot can't
> connect to the database. Turning off enforcing mode lets it work. I'm
> having trouble diagnosing where the denial is taking place as I don't
> see any avc messages in /var/log/messages that relate to dovecot. The
> only messages I'm getting are in /var/log/maillog from dovecot like this:
>
> Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
> maildb: could not connect to server: Permission denied
> Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
> on host "fred.flinstone.org" and accepting
> Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
> port 5432?
>
> The answer to the questions is "yes" it is running and accepting
> connections. Whether or not enforcing mode is on, when logged in, I can
> connect to the database via
>
> $ psql -h fred.flinstone.org maildb
>
> I *think* this is a result of updating on Nov 18. I have not changed the
> default selinux mode since the host was set up back in September. At
> that point, I set it to enforcing mode after working out a few issues.
> On Nov 18, a lot of things were updated, but among there were
>
> Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
> Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
> Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
> Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
> Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
> Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
>
> Today, I did another update, hoping it would cure the problem and got
> these revisions
>
> Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
> Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
>
> but the behavior is unchanged, I still have to turn off enforcing mode.
>
> Any clues on what I need to do to get this to work? Or where to look for
> clues since, as I mentioned, I can't even find log entries that would
> clue me in.
>
> roland
>
Maybe you just need to either
make enableaudit or check the file
labels to make sure things are legit,
Justin P. Mattock
More information about the fedora-selinux-list
mailing list