[Dovecot] dovecot 2.0 vs. SELinux

14 May 2010


      Hi,
we were modifying old SELinux rules for dovecot 2.0. Everything seems ok, only
one report seems odd:
"SELinux is preventing /usr/sbin/dovecot "write" access on dovecot.conf."
Looking at strace output, dovecot tries to use socket on
/etc/dovecot/dovecot.conf which is regular file and no socket:
...
geteuid()                               = 0
getegid()                               = 0
open("/dev/null", O_WRONLY)             = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/var/run/dovecot/config"}, 110) = -1
ECONNREFUSED (Connection refused)
close(4)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1
ECONNREFUSED (Connection refused)
close(4)                                = 0
nanosleep({0, 70000000}, NULL)          = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1
ECONNREFUSED (Connection refused)
close(4)                                = 0
nanosleep({0, 90000000}, NULL)          = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1
ECONNREFUSED (Connection refused)
close(4)                                = 0
nanosleep({0, 80000000}, NULL)          = 0
...
(tries to connect 14x)
traceback for connect causing this selinux denial is:
connect
net_connect_unix : lib/network.c #246
net_connect_unix_with_retries : lib/network.c : #255
master_service_open_config : lib-master/master-service-settings.c #157
master_service_settings_read : lib-master/master-service-settings.c #302
master_settings_read : master/main.c
main : master/main.c
Does anyone know what happens here? Why dovecot tries to use regular file
dovecot.conf as socket? There is probably some magic in it (from my pov) which
I don't  understand.
Regards,
Michal Hlavinka