I've just installed CentOS 5.5 and dovecot 2.0.7. Out of the box, it worked ok with local user accounts. Then I enable selinux and I could no loger login to imap server. I can deal with that via a local policy. But I found dovecot tried to open /etc/shadow: type=AVC msg=audit(1291490764.101:670): avc: denied { read } for pid=16130 comm="auth" name="shadow" dev=md2 ino=96335 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1291500097.318:818): avc: denied { getattr } for pid=17350 comm="auth" path="/etc/shadow" dev=md2 ino=95396 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file even it is configured for pam passdb: # dovecot -n # 2.0.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-194.26.1.el5 x86_64 CentOS release 5.5 (Final) mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem userdb { driver = passwd } I straced the process and it efectively tries to open /etc/shadow. I don't want to disable selinux but I'm not happy letting dovecot read my /etc/shadow. Is there a guide to selinux and dovecot? -- Marcelo "?No ser? acaso que ?sta vida moderna est? teniendo m?s de moderna que de vida?" (Mafalda)
On 6.12.2010, at 14.07, Marcelo Roccasalva wrote:> passdb { > driver = pam > }..> I straced the process and it efectively tries to open /etc/shadow. I > don't want to disable selinux but I'm not happy letting dovecot read > my /etc/shadow. Is there a guide to selinux and dovecot?So, how do you expect Dovecot to authenticate with PAM, if it can't read /etc/shadow?
Seemingly Similar Threads
- imap fails, policy wrong?
- Re: Livecd-creator is disabling selinux
- How to disable selinux protection interfering with pppd? I tried audit2allow, but policy does not load. Is there an seboolean?
- pppd does not work if SELinux is turned on.
- Dovecot replication and userdb "noreplicate".