I've just installed CentOS 5.5 and dovecot 2.0.7. Out of the box, it
worked ok with local user accounts. Then I enable selinux and I could
no loger login to imap server. I can deal with that via a local
policy. But I found dovecot tried to open /etc/shadow:
type=AVC msg=audit(1291490764.101:670): avc: denied { read } for
pid=16130 comm="auth" name="shadow" dev=md2 ino=96335
scontext=user_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1291500097.318:818): avc: denied { getattr } for
pid=17350 comm="auth" path="/etc/shadow" dev=md2 ino=95396
scontext=user_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
even it is configured for pam passdb:
# dovecot -n
# 2.0.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-194.26.1.el5 x86_64 CentOS release 5.5 (Final)
mbox_write_locks = fcntl
passdb {
driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
I straced the process and it efectively tries to open /etc/shadow. I
don't want to disable selinux but I'm not happy letting dovecot read
my /etc/shadow. Is there a guide to selinux and dovecot?
--
Marcelo
"?No ser? acaso que ?sta vida moderna est? teniendo m?s de moderna que
de vida?" (Mafalda)
On 6.12.2010, at 14.07, Marcelo Roccasalva wrote:> passdb { > driver = pam > }..> I straced the process and it efectively tries to open /etc/shadow. I > don't want to disable selinux but I'm not happy letting dovecot read > my /etc/shadow. Is there a guide to selinux and dovecot?So, how do you expect Dovecot to authenticate with PAM, if it can't read /etc/shadow?
Reasonably Related Threads
- imap fails, policy wrong?
- Re: Livecd-creator is disabling selinux
- How to disable selinux protection interfering with pppd? I tried audit2allow, but policy does not load. Is there an seboolean?
- pppd does not work if SELinux is turned on.
- Dovecot replication and userdb "noreplicate".