slohcine at verizon.net
2006-Mar-08 02:00 UTC
[Dovecot] Default SELinux policy on Fedora FC4 prevents dovecot service from starting
Hello,
I recently setup a Fedora FC4 server to host e-mail and webapps. During the
install, I turned on SELinux in active mode. All apps seems to work OK but
Dovecot daemon won't start. In the audit log, I see this entry when I try to
start the dovecot daemon.
type=AVC msg=audit(1141464818.541:40305): avc: denied { read } for pid=1989
comm="dovecot" name=dovecot.pem dev=md2 ino=3646976
scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:cert_t
tclass=file
type=PATH msg=audit(1141499436.214:3266533): item=0
name="/etc/pki/dovecot/dovecot.pem" inode=3646976 dev=09:02
mode=0100600 ouid=0 ogid=0 rdev=00:00
I put SELinux into permissive mode and Dovecot works OK. Looks like dovecot does
not assume the correct security context when it initializes and reads the cert
file.
My question for the list is what changes should I make to the SELinux policy to
safely permit dovecot to read the file? I'm no expert at SELinux but hoping
for some direction, or another way to solve this problem. Ideally, I'd like
to keep SELinux in enforcing mode.
Many thanks,
Eric
Kenneth Porter
2006-Mar-09 08:53 UTC
[Dovecot] Default SELinux policy on Fedora FC4 prevents dovecot service from starting
--On Tuesday, March 07, 2006 8:00 PM -0600 slohcine at verizon.net wrote:> My question for the list is what changes should I make to the SELinux > policy to safely permit dovecot to read the file? I'm no expert at > SELinux but hoping for some direction, or another way to solve this > problem. Ideally, I'd like to keep SELinux in enforcing mode.There's a new fedora-security list. You might want to raise this there.