[Dovecot] CentOS 5 + selinux

Marcelo Roccasalva roccas at gmail.com
Mon Dec 6 16:07:47 EET 2010

I've just installed CentOS 5.5 and dovecot 2.0.7. Out of the box, it
worked ok with local user accounts. Then I enable selinux and I could
no loger login to imap server. I can deal with that via a local
policy. But I found dovecot tried to open /etc/shadow:

type=AVC msg=audit(1291490764.101:670): avc:  denied  { read } for
pid=16130 comm="auth" name="shadow" dev=md2 ino=96335
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1291500097.318:818): avc:  denied  { getattr } for
pid=17350 comm="auth" path="/etc/shadow" dev=md2 ino=95396
tcontext=system_u:object_r:shadow_t:s0 tclass=file

even it is configured for pam passdb:

# dovecot -n
# 2.0.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-194.26.1.el5 x86_64 CentOS release 5.5 (Final)
mbox_write_locks = fcntl
passdb {
  driver = pam
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd

I straced the process and it efectively tries to open /etc/shadow. I
don't want to disable selinux but I'm not happy letting dovecot read
my /etc/shadow. Is there a guide to selinux and dovecot?


"¿No será acaso que ésta vida moderna está teniendo más de moderna que
de vida?" (Mafalda)

More information about the dovecot mailing list