Bug 847438
Summary: | SELinux is preventing /usr/libexec/dovecot/auth from 'name_connect' accesses on the tcp_socket . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Braden McDaniel <braden> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, janfrode, mgrepl, mhlavink |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:73fcf559f8c1f57a84853c1da21d14dda90b3839023b10be7b3e5899fe0eadd4 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-08-27 23:03:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Braden McDaniel
2012-08-11 09:23:57 UTC
Do you use ldap for user authorization on your machine, or is dovecot setup to use ldap? Dovecot is set up to use LDAP for user information; Kerberos is used for authentication. But your machine is not using pam_ldap? Basically we have a boolean authlogin_nsswitch_use_ldap which would allow this access, but it would allow all domains that call getpw to now connect to the ldap server. I am just trying to figure out if dovecot uses ldap even if the system is not setup to use ldap for authorization through pam_ldap. (In reply to comment #3) > But your machine is not using pam_ldap? pam_ldap seems to be installed; however, pam_ldap.so occurs nowhere in /etc/pam.d/password-auth. Is there somewhere else it would get pulled in? (In reply to comment #4) > Basically we have a boolean authlogin_nsswitch_use_ldap which would allow > this access, but it would allow all domains that call getpw to now connect > to the ldap server. I am just trying to figure out if dovecot uses ldap > even if the system is not setup to use ldap for authorization through > pam_ldap. As I indicated, dovecot is using LDAP to get user information. What that means is that the dovecot configuration includes something like this: hosts = ldap dn = cn=Manager,dc=endoframe,dc=net dnpass = ******** ldap_version = 3 base = ou=people,dc=endoframe,dc=net deref = never scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u)) (I'm using the Manager account for this at the moment; though the recommendation is to set up an account for dovecot with read-only privileges.) Ok that is exactly what I wanted to know. I will add to F18, Miroslav please back port, to F17. selinux-policy-3.10.0-146.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-146.fc17 Package selinux-policy-3.10.0-146.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-146.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-12355/selinux-policy-3.10.0-146.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-146.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |