[Dovecot] dovecot 2.0 vs. SELinux

Michal Hlavinka mhlavink at redhat.com
Fri May 14 15:10:17 EEST 2010 

Hi,

we were modifying old SELinux rules for dovecot 2.0. Everything seems ok, only 
one report seems odd:

"SELinux is preventing /usr/sbin/dovecot "write" access on dovecot.conf."

Looking at strace output, dovecot tries to use socket on 
/etc/dovecot/dovecot.conf which is regular file and no socket:
...
geteuid()                               = 0
getegid()                               = 0
open("/dev/null", O_WRONLY)             = 3
fcntl(3, F_GETFD)                       = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/var/run/dovecot/config"}, 110) = -1 
ECONNREFUSED (Connection refused)
close(4)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1 
ECONNREFUSED (Connection refused)
close(4)                                = 0
nanosleep({0, 70000000}, NULL)          = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1 
ECONNREFUSED (Connection refused)
close(4)                                = 0
nanosleep({0, 90000000}, NULL)          = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
connect(4, {sa_family=AF_FILE, path="/etc/dovecot/dovecot.conf"}, 110) = -1 
ECONNREFUSED (Connection refused)
close(4)                                = 0
nanosleep({0, 80000000}, NULL)          = 0
...
(tries to connect 14x)



traceback for connect causing this selinux denial is:
connect
net_connect_unix : lib/network.c #246
net_connect_unix_with_retries : lib/network.c : #255
master_service_open_config : lib-master/master-service-settings.c #157
master_service_settings_read : lib-master/master-service-settings.c #302 
master_settings_read : master/main.c
main : master/main.c


Does anyone know what happens here? Why dovecot tries to use regular file 
dovecot.conf as socket? There is probably some magic in it (from my pov) which 
I don't  understand.

Regards,
Michal Hlavinka

More information about the dovecot mailing list