SELinux won't let dovecot connect to postgresql (SOLVED!)
Roland Roberts wrote:
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:
Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?
The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via
$ psql -h fred.flinstone.org maildb
I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were
Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
Today, I did another update, hoping it would cure the problem and got
these revisions
Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
but the behavior is unchanged, I still have to turn off enforcing mode.
Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.
roland
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.
I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I
don't think this is complete as I'm using the tcp port for PostgreSQL
and the policy only allows that, not the unix domain socket (which I
should probably configure instead). But at least I can now run in
enforcing mode.
365 root> cat *.te
module dovecotauthfixes 1.0;
require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}
--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12-03-2009, 12:00 AM
"Justin P. Mattock"
SELinux won't let dovecot connect to postgresql (SOLVED!)
On 12/02/09 15:57, Roland Roberts wrote:
Roland Roberts wrote:
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:
Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?
The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via
$ psql -h fred.flinstone.org maildb
I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were
Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
Today, I did another update, hoping it would cure the problem and got
these revisions
Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
but the behavior is unchanged, I still have to turn off enforcing mode.
Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.
roland
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.
I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I don't
think this is complete as I'm using the tcp port for PostgreSQL and the
policy only allows that, not the unix domain socket (which I should
probably configure instead). But at least I can now run in enforcing mode.
365 root> cat *.te
module dovecotauthfixes 1.0;
require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12-03-2009, 02:51 PM
Daniel J Walsh
SELinux won't let dovecot connect to postgresql (SOLVED!)
On 12/02/2009 06:57 PM, Roland Roberts wrote:
Roland Roberts wrote:
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:
Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?
The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via
$ psql -h fred.flinstone.org maildb
I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were
Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch
Today, I did another update, hoping it would cure the problem and got
these revisions
Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch
but the behavior is unchanged, I still have to turn off enforcing mode.
Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.
roland
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.
I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I don't
think this is complete as I'm using the tcp port for PostgreSQL and the
policy only allows that, not the unix domain socket (which I should
probably configure instead). But at least I can now run in enforcing mode.
365 root> cat *.te
module dovecotauthfixes 1.0;
require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}
This explains the four things SELinux is trying to tell you. In order
of most common to least
1 You have a labeling problem (restorecon/semanage fcontext)
2 You have a selinux confiuration problem (booleans, semanage selinux
settings)
3 Bug in selinux-policy or application (audit2allow -M localpolicy)
4 You have been hacked.
In the case of what you are reporting most fall into category 2.
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12-04-2009, 03:53 AM
Roland Roberts
SELinux won't let dovecot connect to postgresql (SOLVED!)
On 12/02/2009 06:57 PM, Roland Roberts wrote:
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.
[...]
module eximfixes 1.0;
require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}
The above are not actually necessary; only the dovecot fix was needed.
Daniel Walsh pointed out that there were booleans I could set for the
other problems, namely
SELinux won't let dovecot connect to postgresql (SOLVED!)
