Bug 609243
Summary: | SELinux is preventing /usr/sbin/dovecot "name_bind" access . | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Wang <daniel2196> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 13 | CC: | dwalsh, mgrepl, mhlavink | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | setroubleshoot_trace_hash:f81a27494ed3404adadbb870339e351c6b6701790cbc460b8b5ad531b309cfd9 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-07-09 16:10:51 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Daniel Wang
2010-06-29 18:06:27 UTC
It looks like you added dovecot_t domain type for tcp/2993 port? I don't remember adding any custom selinux policy for dovecot (perhaps I forgot), but I have found a dovecot_t,tcp,s0,2993 entry in the SELinux mgmt tool. I am running dovecot on tcp/2993. Is there something else I should do to allow dovecot to listen on that port? Daniel, execute # semanage port -d -t dovecot_t -p tcp 2993 Will remove the port mapping and then you can add local policy for now using # cat > mydovecot.te << _EOF policy_module(mydovecot, 1.0) require { type dovecot_t; type port_t; } allow dovecot_t port_t:tcp_socket name_bind; _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mydovecot.pp Done. I will update if I see any new, related errors. For future reference, is there some way I could have avoided this problem? I don't think I should blindly apply audit2allow. This is the best way. I mean reporting bug as in this case. Then we will investigate if the service really needs to use a port and if yes we will add a new type for this port. could you please attach your dovecot.conf (you can replace all sensitive data by replacing them with "REMOVED") or at least attach output of dovecot -n thanks Created attachment 430507 [details]
my dovecot.conf
Ok, then just execute # semanage port -a -t pop_port_t -p tcp 2993 Will fix for you. Also remove your local policy # semodule -r mydovecot.pp Done. Thanks. |