FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-29-2009, 04:05 AM
"Justin P. Mattock"
 
Default SELinux won't let dovecot connect to postgresql

On 11/28/09 20:35, Roland Roberts wrote:

I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot can't
connect to the database. Turning off enforcing mode lets it work. I'm
having trouble diagnosing where the denial is taking place as I don't
see any avc messages in /var/log/messages that relate to dovecot. The
only messages I'm getting are in /var/log/maillog from dovecot like this:

Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?

The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I can
connect to the database via

$ psql -h fred.flinstone.org maildb

I *think* this is a result of updating on Nov 18. I have not changed the
default selinux mode since the host was set up back in September. At
that point, I set it to enforcing mode after working out a few issues.
On Nov 18, a lot of things were updated, but among there were

Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch

Today, I did another update, hoping it would cure the problem and got
these revisions

Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch

but the behavior is unchanged, I still have to turn off enforcing mode.

Any clues on what I need to do to get this to work? Or where to look for
clues since, as I mentioned, I can't even find log entries that would
clue me in.

roland


Maybe you just need to either
make enableaudit or check the file
labels to make sure things are legit,

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 04:11 AM
Thomas Harold
 
Default SELinux won't let dovecot connect to postgresql

On 11/28/2009 11:35 PM, Roland Roberts wrote:

I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email
authentication. The issue I'm having is that when I am in enforcing
mode, dovecot can't connect to the database. Turning off enforcing
mode lets it work. I'm having trouble diagnosing where the denial is
taking place as I don't see any avc messages in /var/log/messages
that relate to dovecot. The only messages I'm getting are in
/var/log/maillog from dovecot like this


I think that you have to have the setroubleshoot service running in
order to get SELinux errors in /var/log/messages.


https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ


Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.


First step is to look in /var/log/messages for "sealert" lines (assuming
that the setroubleshoot service is running). The meat of the details of
the denial will be in /var/log/audit/audit.log.


# egrep "(dovecot|postgres)" /var/log/audit/audit* | audit2allow

It'll probably spit out something like:

allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;

Depending on what database server you are running, of course.

You'll want to set your system to "permissive" and let SELinux gather
messages in the audit.log. Then you can run audit2allow once, check its
suggestions, and then create and apply a new policy.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 04:29 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

Thomas Harold wrote:
I think that you have to have the setroubleshoot service running in
order to get SELinux errors in /var/log/messages.


https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20User%20FAQ


Hmmm, I seem to have both setroubleshoot and setroubleshoot-server
packages installed, but much of that package talks about turning on the
setroubleshoot service; the file for that should be in
/etc/rc.d/init.d/setroubleshoot, but I have no such file. Both packages
verify as correct (rpm -V) and rpm -qil does not show any such file in
the inventory. There is a file /usr/sbin/setroubleshootd which is what
I would expect for the daemon, but no file in /etc/rc.d/init.d
references it. Odd. And if I try to manually launch it, it runs
briefly, leaves a zero-length log file in
/var/log/setroubleshoot/setroubleshootd.log.


Note that I am *not* on a X11 desktop on this host. It is a server, and
while it has X installed, it is in run level 3.


roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 04:43 AM
Thomas Harold
 
Default SELinux won't let dovecot connect to postgresql

On 11/29/2009 12:29 AM, Roland Roberts wrote:


Hmmm, I seem to have both setroubleshoot and setroubleshoot-server
packages installed, but much of that package talks about turning on the
setroubleshoot service; the file for that should be in
/etc/rc.d/init.d/setroubleshoot, but I have no such file. Both packages
verify as correct (rpm -V) and rpm -qil does not show any such file in
the inventory. There is a file /usr/sbin/setroubleshootd which is what I
would expect for the daemon, but no file in /etc/rc.d/init.d references
it. Odd. And if I try to manually launch it, it runs briefly, leaves a
zero-length log file in /var/log/setroubleshoot/setroubleshootd.log.


You could try uninstalling and then reinstalling the setroubleshoot
package. Specifically "setroubleshoot-server" package contains the
daemon and init.d file and only depends on the -plugins package.


Even on our servers, the setroubleshoot.log file is generally empty.
I'm guessing that you'll only see content there if the daemon fails to
initialize or has errors.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-29-2009, 04:49 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql

Thomas Harold wrote:
You could try uninstalling and then reinstalling the setroubleshoot
package. Specifically "setroubleshoot-server" package contains the
daemon and init.d file and only depends on the -plugins package.


But it doesn't seem to include the init.d file, or is rpm -qil not
telling me what I think it is telling me:


572 root> rpm -qil setroubleshoot-server | grep /etc
/etc/audisp/plugins.d/sedispatch.conf
/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
/etc/logrotate.d/setroubleshoot
/etc/setroubleshoot
/etc/setroubleshoot/setroubleshoot.cfg

roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org