SELinux won't let dovecot connect to postgresql
Justin P. Mattock
justinmattock at gmail.com
Sun Nov 29 10:18:19 UTC 2009
On 11/29/09 02:11, Sandro Janke wrote:
> On 11/29/2009 06:29 AM, Roland Roberts wrote:
>> Thomas Harold wrote:
>>> I think that you have to have the setroubleshoot service running in
>>> order to get SELinux errors in /var/log/messages.
>>>
>>> https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ
>>
>> Hmmm, I seem to have both setroubleshoot and setroubleshoot-server
>> packages installed, but much of that package talks about turning on the
>> setroubleshoot service; the file for that should be in
>> /etc/rc.d/init.d/setroubleshoot, but I have no such file. Both packages
>> verify as correct (rpm -V) and rpm -qil does not show any such file in
>> the inventory. There is a file /usr/sbin/setroubleshootd which is what I
>> would expect for the daemon, but no file in /etc/rc.d/init.d references
>> it. Odd. And if I try to manually launch it, it runs briefly, leaves a
>> zero-length log file in /var/log/setroubleshoot/setroubleshootd.log.
>>
>> Note that I am *not* on a X11 desktop on this host. It is a server, and
>> while it has X installed, it is in run level 3.
>
> Actually, you don't need to have any of the setroubleshoot packages
> installed to get AVC messages logged. What you need is auditd running
> and it will log AVC messages to /var/log/audit/audit.log
>
> With setroubleshoot-server installed you can watch the logged messages
> using:
>
> # sealert -a /var/log/audit/audit.log
>
> The output will be long and in the style of setroubleshoot browser, so
> take your measures.
>
> Another tool - from the audit package - that can prove very useful is
> ausearch. It will search the audit logs for messages matching the given
> criteria.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
agree..
In my case I normaly just do:
audit2allow -d > to_the_allow_rules
audit2allow -i /var/log/*(and the rest of
the log messages havng any left over avc's
to define into the policy);
Justin P. Mattock
More information about the fedora-selinux-list
mailing list