FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-02-2008, 06:50 PM
Chris Adams
 
Default Odd problem with dovecot

I'm trying to set up dovecot for IMAP. I'm using an external auth
program and a static userdb setting to define the home directories (all
owned by the same UID/GID). I set the whole directory tree to
mail_spool_t (thinking I'd avoid any SELinux access issues that way).

What is odd is that it fails when SELinux is in enforcing mode, but not
in permissive, BUT I don't get any errors when it fails (e.g. no
"denied" messages in the kernel or audit logs).

I've straced the daemon, and it fails at a chdir(). I know the
permissions are okay (it works when the system is in permissive mode),
so I figured it has to be related to SELinux, but I can't figure out
how.

Suggestions?
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-06-2008, 05:58 PM
Daniel J Walsh
 
Default Odd problem with dovecot

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Adams wrote:
> I'm trying to set up dovecot for IMAP. I'm using an external auth
> program and a static userdb setting to define the home directories (all
> owned by the same UID/GID). I set the whole directory tree to
> mail_spool_t (thinking I'd avoid any SELinux access issues that way).
>
> What is odd is that it fails when SELinux is in enforcing mode, but not
> in permissive, BUT I don't get any errors when it fails (e.g. no
> "denied" messages in the kernel or audit logs).
>
> I've straced the daemon, and it fails at a chdir(). I know the
> permissions are okay (it works when the system is in permissive mode),
> so I figured it has to be related to SELinux, but I can't figure out
> how.
>
> Suggestions?
semodule -DB

will turn on all dontaudit rules.

Try your test.

semodule -B

will turn rules back on.

Check for AVC messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkggnF0ACgkQrlYvE4MpobPbbACfVCswQcrmWo u9ukmJLwAtQQr4
TukAoNis0d5u6YyiX6TzJDCZqNxuI1lf
=HFTt
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-06-2008, 06:15 PM
Chris Adams
 
Default Odd problem with dovecot

Once upon a time, Daniel J Walsh <dwalsh@redhat.com> said:
> Chris Adams wrote:
> > What is odd is that it fails when SELinux is in enforcing mode, but not
> > in permissive, BUT I don't get any errors when it fails (e.g. no
> > "denied" messages in the kernel or audit logs).
> semodule -DB
>
> will turn on all dontaudit rules.

Sorry, I should have been more specific: this is on RHEL 5, which does
not appear to have the -D option.

However, looking at the dontaudit rules with sesearch (I wasn't aware of
either dontaudit rules or the sesearch command before), I found the
problem. The top-level directory was still default_t, and there's a
"dontaudit dovecot_t default_t : dir { ioctl read gettr lock search };"
rule.

I changed that top-level directory and all is well. Thanks.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 11:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org