search for: dovecot_t

...as you do it the way the policy > writer intended, see https://linux.die.net/man/8/dovecot_selinux > > Aki For replication over SSH I had to add the following module: module selinux-dovecot-replication-ssh 1.0; require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; } #============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file {...

...> enforcing? Googling is not finding any real help. Hi, I?ve got some ? tweaking ? here (using postgresql, obviously) so that dovecot runs properly with SELinux enabled, HTH, Laurent. module mydovecot 1.0; require { type dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #============= dovecot_auth_t ============== #!!!!...

..._selinux >>> >>> Aki >> >> For replication over SSH I had to add the following module: >> >> module selinux-dovecot-replication-ssh 1.0; >> >> require { >> type ssh_exec_t; >> type ssh_home_t; >> type dovecot_t; >> class file { open read execute execute_no_trans }; >> class dir { getattr search }; >> } >> >> #============= dovecot_t ============== >> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; >> allow dovecot_t ssh_ho...

...odd one with Apache. Given that these were all installed with the CentOS install defaults, I can't believe I am the only one with these issues but finding a solution has not been self evident. Hoping someone here can help. For Dovecot I get the following: SELinux is preventing dovecot (dovecot_t) "create" to <Unknown> (dovecot_t). For complete SELinux messages. run sealert -l e1b070ab-586a-4c5a-befe-b6a46b9ab992 For procmail I get the following: SELinux is preventing procmail (procmail_t) "execute" to ./spamc (spamc_exec_t). For complete SELinux messages....

Hi, After configuring systemd unit with ReadWritePaths=/home/mail, I get the following error logs in audit: type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 scontext=system_u:system_r:dovecot_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8 items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1005 euid=1005 suid=1...

...</div> <div> type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for </div> <div> pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 </div> <div> scontext=system_u:system_r:dovecot_t:s0 </div> <div> tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 </div> <div> type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 </div> <div> success=no exit=-13 a0=55b493a7f338 a1=1...

...t; > I?ve got some ? tweaking ? here (using postgresql, obviously) so that > dovecot runs properly with SELinux enabled, > > HTH, > Laurent. > > module mydovecot 1.0; > > require { > type dovecot_auth_t; > type postgresql_port_t; > type dovecot_t; > type var_t; > type postfix_virtual_tmp_t; > class tcp_socket name_connect; > class file { rename read lock create write getattr link unlink > open append }; > class dir { read write create add_name remove_name }; > } > > #==...

I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket: connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password And all fixed. No more failures. Plus probably securer. On 04/07/2017 10:57 AM, Robert Moskowitz wrote: > The strange thing is that

...nto > "audit2allow -M <modulename>" > 5: setenforce enforcing > > This process is less iterative, which can save a *lot* of time > building some policies. This made the same content as before that caused problems: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; #!!!! The fil...

...nded, seehttps://linux.die.net/man/8/dovecot_selinux >> >> Aki > > For replication over SSH I had to add the following module: > > module selinux-dovecot-replication-ssh 1.0; > > require { > type ssh_exec_t; > type ssh_home_t; > type dovecot_t; > class file { open read execute execute_no_trans }; > class dir { getattr search }; > } > > #============= dovecot_t ============== > allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; > allow dovecot_t ssh_home_t:dir { getattr search };...

...vecot: dict: Error: beec5000-beec6000 r-xp 00000000 00:00 0 [sigpage] Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors] Which go away if I setenforce 0. :( myservice_policy.te has: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; #!!!! The fil...

...ing systemd unit with ReadWritePaths=/home/mail, I get the > following error logs in audit: > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > scontext=system_u:system_r:dovecot_t:s0 > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8 > items=0 ppid=12735 pid=12750 auid=4294967295 uid=1005 gid=1...

...=/home/mail, I get the > > > following error logs in audit: > > > type=AVC msg=audit(1586604621.637:6736): avc: denied { write } for > > > pid=12750 comm="imap" name="Maildir" dev="dm-3" ino=438370738 > > > scontext=system_u:system_r:dovecot_t:s0 > > > tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir permissive=0 > > > type=SYSCALL msg=audit(1586604621.637:6736): arch=c000003e syscall=83 > > > success=no exit=-13 a0=55b493a7f338 a1=1ed a2=ffffffff a3=fffffffffffffcd8 > > > items=0 ppid=12735...

I have been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. So I googled dovecot mysql selinux and the only worthwhile hit was:

...th_t; type syslogd_t; type hostname_exec_t; type postfix_smtpd_t; type var_spool_t; type system_dbusd_t; type mysqld_etc_t; type initrc_t; type proc_t; type restorecond_t; type etc_runtime_t; type postfix_bounce_t; type ntpd_t; type kernel_t; type postfix_master_t; type rpcd_t; type dovecot_t; type klogd_t; type udev_t; type clamd_t; type mysqld_port_t; type initrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute re...

Le mardi 25 avril 2017 ? 11:07 +0200, Robert Moskowitz a ?crit : > > On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: > > Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit : > >> Thanks Laurent. You obviously know a LOT more about SELinux than I. I > >> pretty much just use commands and not build policies. So I need some > >> more

https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening

https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz https://dovecot.org/releases/2.3/dovecot-2.3.2.tar.gz.sig v2.3.2 is mainly a bugfix release. It contains all the changes in v2.2.36, as well as a bunch of other fixes (mainly for v2.3-only bugs). Binary packages are already in https://repo.dovecot.org/ * old-stats plugin: Don't temporarily enable PR_SET_DUMPABLE while opening

...diesen Zugriff zu erlauben, k?nnen Sie ein lokales Richtlinien-Modul erstellen. Ausf?hren allow this access for now by executing: # ausearch -c 'dovecot' --raw | audit2allow -M my-dovecot # semodule -i my-dovecot.pp zus?tzliche Information: Quellkontext system_u:system_r:dovecot_t:s0 Zielkontext system_u:object_r:proc_security_t:s0 Zielobjekte /proc/sys/fs/suid_dumpable [ file ] Quelle dovecot Quellpfad /usr/sbin/dovecot Port <Unknown> Host &...

Hello! I finally took the time and spent two days to set up replication for my server and now I have a question or two. I initially set noreplicate userdb field to 1 for all but a test user, but I could still see in the logs that all mailboxes were trying to connect to the other server via SSH. Is that normal? Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error: Remote