[Dovecot] CentOS 5 + selinux
Marcelo Roccasalva
roccas at gmail.com
Mon Dec 6 16:07:47 EET 2010
I've just installed CentOS 5.5 and dovecot 2.0.7. Out of the box, it
worked ok with local user accounts. Then I enable selinux and I could
no loger login to imap server. I can deal with that via a local
policy. But I found dovecot tried to open /etc/shadow:
type=AVC msg=audit(1291490764.101:670): avc: denied { read } for
pid=16130 comm="auth" name="shadow" dev=md2 ino=96335
scontext=user_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1291500097.318:818): avc: denied { getattr } for
pid=17350 comm="auth" path="/etc/shadow" dev=md2 ino=95396
scontext=user_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
even it is configured for pam passdb:
# dovecot -n
# 2.0.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-194.26.1.el5 x86_64 CentOS release 5.5 (Final)
mbox_write_locks = fcntl
passdb {
driver = pam
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
driver = passwd
}
I straced the process and it efectively tries to open /etc/shadow. I
don't want to disable selinux but I'm not happy letting dovecot read
my /etc/shadow. Is there a guide to selinux and dovecot?
--
Marcelo
"¿No será acaso que ésta vida moderna está teniendo más de moderna que
de vida?" (Mafalda)
More information about the dovecot
mailing list