I'm trying to set up dovecot for IMAP. I'm using an external auth program and a static userdb setting to define the home directories (all owned by the same UID/GID). I set the whole directory tree to mail_spool_t (thinking I'd avoid any SELinux access issues that way).
What is odd is that it fails when SELinux is in enforcing mode, but not in permissive, BUT I don't get any errors when it fails (e.g. no "denied" messages in the kernel or audit logs).
I've straced the daemon, and it fails at a chdir(). I know the permissions are okay (it works when the system is in permissive mode), so I figured it has to be related to SELinux, but I can't figure out how.
Suggestions?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chris Adams wrote:
I'm trying to set up dovecot for IMAP. I'm using an external auth program and a static userdb setting to define the home directories (all owned by the same UID/GID). I set the whole directory tree to mail_spool_t (thinking I'd avoid any SELinux access issues that way).
What is odd is that it fails when SELinux is in enforcing mode, but not in permissive, BUT I don't get any errors when it fails (e.g. no "denied" messages in the kernel or audit logs).
I've straced the daemon, and it fails at a chdir(). I know the permissions are okay (it works when the system is in permissive mode), so I figured it has to be related to SELinux, but I can't figure out how.
Suggestions?
semodule -DB
will turn on all dontaudit rules.
Try your test.
semodule -B
will turn rules back on.
Check for AVC messages.
Once upon a time, Daniel J Walsh dwalsh@redhat.com said:
Chris Adams wrote:
What is odd is that it fails when SELinux is in enforcing mode, but not in permissive, BUT I don't get any errors when it fails (e.g. no "denied" messages in the kernel or audit logs).
semodule -DB
will turn on all dontaudit rules.
Sorry, I should have been more specific: this is on RHEL 5, which does not appear to have the -D option.
However, looking at the dontaudit rules with sesearch (I wasn't aware of either dontaudit rules or the sesearch command before), I found the problem. The top-level directory was still default_t, and there's a "dontaudit dovecot_t default_t : dir { ioctl read gettr lock search };" rule.
I changed that top-level directory and all is well. Thanks.
selinux@lists.fedoraproject.org