FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-02-2009, 10:57 PM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql (SOLVED!)

Roland Roberts wrote:
I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:


Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?


The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via


$ psql -h fred.flinstone.org maildb

I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were


Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch

Today, I did another update, hoping it would cure the problem and got
these revisions


Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch

but the behavior is unchanged, I still have to turn off enforcing mode.

Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.


roland


Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.


I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I
don't think this is complete as I'm using the tcp port for PostgreSQL
and the policy only allows that, not the unix domain socket (which I
should probably configure instead). But at least I can now run in
enforcing mode.


365 root> cat *.te

module dovecotauthfixes 1.0;

require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

module eximfixes 1.0;

require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;

module httpdfixes 1.0;

require {
type postgresql_port_t;
type httpd_t;
type pop_port_t;
class tcp_socket { name_bind name_connect };
}

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;

roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2009, 12:00 AM
"Justin P. Mattock"
 
Default SELinux won't let dovecot connect to postgresql (SOLVED!)

On 12/02/09 15:57, Roland Roberts wrote:

Roland Roberts wrote:

I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:

Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?

The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via

$ psql -h fred.flinstone.org maildb

I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were

Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch

Today, I did another update, hoping it would cure the problem and got
these revisions

Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch

but the behavior is unchanged, I still have to turn off enforcing mode.

Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.

roland


Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.

I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I don't
think this is complete as I'm using the tcp port for PostgreSQL and the
policy only allows that, not the unix domain socket (which I should
probably configure instead). But at least I can now run in enforcing mode.

365 root> cat *.te

module dovecotauthfixes 1.0;

require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

module eximfixes 1.0;

require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;

module httpdfixes 1.0;

require {
type postgresql_port_t;
type httpd_t;
type pop_port_t;
class tcp_socket { name_bind name_connect };
}

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;

roland



cool,
so your up and running..

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-03-2009, 02:51 PM
Daniel J Walsh
 
Default SELinux won't let dovecot connect to postgresql (SOLVED!)

On 12/02/2009 06:57 PM, Roland Roberts wrote:

Roland Roberts wrote:

I'm running Fedora 11 x86_64 with the dovecot and dovecot-pgsql RPMs
installed. I have a small user database set up for email authentication.
The issue I'm having is that when I am in enforcing mode, dovecot
can't connect to the database. Turning off enforcing mode lets it
work. I'm having trouble diagnosing where the denial is taking place
as I don't see any avc messages in /var/log/messages that relate to
dovecot. The only messages I'm getting are in /var/log/maillog from
dovecot like this:

Nov 28 22:23:11 fred dovecot: auth(default): pgsql: Connect failed to
maildb: could not connect to server: Permission denied
Nov 28 22:23:11 fred dovecot: auth(default): #011Is the server running
on host "fred.flinstone.org" and accepting
Nov 28 22:23:11 fred dovecot: auth(default): #011TCP/IP connections on
port 5432?

The answer to the questions is "yes" it is running and accepting
connections. Whether or not enforcing mode is on, when logged in, I
can connect to the database via

$ psql -h fred.flinstone.org maildb

I *think* this is a result of updating on Nov 18. I have not changed
the default selinux mode since the host was set up back in September.
At that point, I set it to enforcing mode after working out a few
issues. On Nov 18, a lot of things were updated, but among there were

Nov 18 10:00:02 Updated: kernel-firmware-2.6.30.9-96.fc11.noarch
Nov 18 10:00:15 Updated: kernel-headers-2.6.30.9-96.fc11.x86_64
Nov 18 10:00:28 Installed: kernel-devel-2.6.30.9-96.fc11.x86_64
Nov 18 10:01:30 Installed: kernel-2.6.30.9-96.fc11.x86_64
Nov 18 10:02:01 Updated: selinux-policy-3.6.12-86.fc11.noarch
Nov 18 10:02:46 Updated: selinux-policy-targeted-3.6.12-86.fc11.noarch

Today, I did another update, hoping it would cure the problem and got
these revisions

Nov 28 10:57:33 Updated: selinux-policy-3.6.12-88.fc11.noarch
Nov 28 10:57:47 Updated: selinux-policy-targeted-3.6.12-88.fc11.noarch

but the behavior is unchanged, I still have to turn off enforcing mode.

Any clues on what I need to do to get this to work? Or where to look
for clues since, as I mentioned, I can't even find log entries that
would clue me in.

roland


Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.

I also ran into a problem with httpd needing access to PostgreSQL since
I'm running Drupal with PostgreSQL as the backend. And I have
SquirrelMail running so httpd needs access to the imap/pop port. I don't
think this is complete as I'm using the tcp port for PostgreSQL and the
policy only allows that, not the unix domain socket (which I should
probably configure instead). But at least I can now run in enforcing mode.

365 root> cat *.te

module dovecotauthfixes 1.0;

require {
type dovecot_auth_t;
type postgresql_port_t;
type postgresql_tmp_t;
type postgresql_t;
class sock_file write;
class tcp_socket name_connect;
class unix_stream_socket connectto;
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
allow dovecot_auth_t postgresql_t:unix_stream_socket connectto;
allow dovecot_auth_t postgresql_tmp_t:sock_file write;

module eximfixes 1.0;

require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;

module httpdfixes 1.0;

require {
type postgresql_port_t;
type httpd_t;
type pop_port_t;
class tcp_socket { name_bind name_connect };
}

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;

roland


You can also just set the booleans

# setsebool -P httpd_can_network_connect_db=1 httpd_can_sendmail=1

Please read:

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf


This explains the four things SELinux is trying to tell you. In order
of most common to least


1 You have a labeling problem (restorecon/semanage fcontext)
2 You have a selinux confiuration problem (booleans, semanage selinux
settings)

3 Bug in selinux-policy or application (audit2allow -M localpolicy)
4 You have been hacked.

In the case of what you are reporting most fall into category 2.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-04-2009, 03:53 AM
Roland Roberts
 
Default SELinux won't let dovecot connect to postgresql (SOLVED!)

On 12/02/2009 06:57 PM, Roland Roberts wrote:
Okay, here's what I finally ended up with that have me running in
enforcing mode. I have both dovecot and exim using PostgreSQL for
authentication. I had originally had them connecting via tcp, but
changed them to use the unix domain socket. The policies below allow
either.


[...]
module eximfixes 1.0;

require {
type postgresql_tmp_t;
type exim_t;
type postgresql_t;
class sock_file write;
class unix_stream_socket connectto;
}

#============= exim_t ==============
allow exim_t postgresql_t:unix_stream_socket connectto;
allow exim_t postgresql_tmp_t:sock_file write;

module httpdfixes 1.0;

require {
type postgresql_port_t;
type httpd_t;
type pop_port_t;
class tcp_socket { name_bind name_connect };
}

#============= httpd_t ==============
allow httpd_t pop_port_t:tcp_socket { name_bind name_connect };
allow httpd_t postgresql_port_t:tcp_socket name_connect;


The above are not actually necessary; only the dovecot fix was needed.
Daniel Walsh pointed out that there were booleans I could set for the
other problems, namely


# setsebool -P httpd_can_network_connect_db=1 httpd_can_sendmail=1
exim_can_connect_db=1


replaces all of the above.

roland

--
PGP Key ID: 66 BC 3B CD
Roland B. Roberts, PhD RL Enterprises
roland@rlenter.com 6818 Madeline Court
roland@astrofoto.org Brooklyn, NY 11220

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org