[Dovecot] dovecot 2.0 vs. SELinux
Hi,
we were modifying old SELinux rules for dovecot 2.0. Everything seems ok, only one report seems odd:
"SELinux is preventing /usr/sbin/dovecot "write" access on dovecot.conf."
Looking at strace output, dovecot tries to use socket on /etc/dovecot/dovecot.conf which is regular file and no socket: ... geteuid() = 0 getegid() = 0 open("/dev/null", O_WRONLY) = 3 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/var/run/dovecot/config"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 nanosleep({0, 70000000}, NULL) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 nanosleep({0, 90000000}, NULL) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 nanosleep({0, 80000000}, NULL) = 0 ... (tries to connect 14x)
traceback for connect causing this selinux denial is: connect net_connect_unix : lib/network.c #246 net_connect_unix_with_retries : lib/network.c : #255 master_service_open_config : lib-master/master-service-settings.c #157 master_service_settings_read : lib-master/master-service-settings.c #302 master_settings_read : master/main.c main : master/main.c
Does anyone know what happens here? Why dovecot tries to use regular file dovecot.conf as socket? There is probably some magic in it (from my pov) which I don't understand.
Regards, Michal Hlavinka
On Fri, May 14, 2010 at 08:10, Michal Hlavinka mhlavink@redhat.com wrote:
Does anyone know what happens here? Why dovecot tries to use regular file dovecot.conf as socket? There is probably some magic in it (from my pov) which I don't understand.
I don't see that happening with mine. That sure doesn't make sense. So I can only guess some mangled configuration. But if it hasn't even read the configuration, yet, even stranger. What other actions on the config file does strace show happened? E.g. did it also open it for reading or not? Before or after?
On 14.5.2010, at 14.10, Michal Hlavinka wrote:
Looking at strace output, dovecot tries to use socket on /etc/dovecot/dovecot.conf which is regular file and no socket:
Yeah, it was less code to do it that way.. But since it causes problems, added more code: http://hg.dovecot.org/dovecot-2.0/rev/7bb35ad5e80e
On Friday 14 of May 2010 17:42:25 Timo Sirainen wrote:
On 14.5.2010, at 14.10, Michal Hlavinka wrote:
Looking at strace output, dovecot tries to use socket on
/etc/dovecot/dovecot.conf which is regular file and no socket: Yeah, it was less code to do it that way.. But since it causes problems, added more code: http://hg.dovecot.org/dovecot-2.0/rev/7bb35ad5e80e
thanks, it fixed it
participants (3)
-
Michal Hlavinka
-
Phil Howard
-
Timo Sirainen