[Dovecot] CentOS 5 + selinux
I've just installed CentOS 5.5 and dovecot 2.0.7. Out of the box, it worked ok with local user accounts. Then I enable selinux and I could no loger login to imap server. I can deal with that via a local policy. But I found dovecot tried to open /etc/shadow:
type=AVC msg=audit(1291490764.101:670): avc: denied { read } for pid=16130 comm="auth" name="shadow" dev=md2 ino=96335 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1291500097.318:818): avc: denied { getattr } for pid=17350 comm="auth" path="/etc/shadow" dev=md2 ino=95396 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
even it is configured for pam passdb:
# dovecot -n # 2.0.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.18-194.26.1.el5 x86_64 CentOS release 5.5 (Final) mbox_write_locks = fcntl passdb { driver = pam } ssl_cert =
I straced the process and it efectively tries to open /etc/shadow. I don't want to disable selinux but I'm not happy letting dovecot read my /etc/shadow. Is there a guide to selinux and dovecot?
-- Marcelo
"¿No será acaso que ésta vida moderna está teniendo más de moderna que de vida?" (Mafalda)
On 6.12.2010, at 14.07, Marcelo Roccasalva wrote:
passdb { driver = pam } .. I straced the process and it efectively tries to open /etc/shadow. I don't want to disable selinux but I'm not happy letting dovecot read my /etc/shadow. Is there a guide to selinux and dovecot?
So, how do you expect Dovecot to authenticate with PAM, if it can't read /etc/shadow?
participants (2)
-
Marcelo Roccasalva
-
Timo Sirainen