Description of problem: Error message, there is a dovecot process running, I have not determined the stability of the system yet. Version-Release number of selected component (if applicable): dovecot.x86_64.1:2.2.15-1.fc21 How reproducible: Appears to happen as dovecot starts Steps to Reproduce: 1. yum install sendmail dovecot 2. systemctl enable sendmail dovecot 3. Actual results: Warning message from SElinux check Expected results: Silent dovcot oeration Additional info: Installed from fc21-MATE-x86_64 for testing
Could you attach AVCs (/var/log/audit/audit.log) ?
Created attachment 968193 [details] Dovecot entries from audit.log I attach the dovecot entries, I will provide the whole log (I saved it) if needed.
Was the system running out of memory or process space at the time? sys_resource means that the process dovecot can ignore its limits on resources like process or open file descriptors. We usually see this type of thing when a system is being stressed.
Unless the normal process of installing the mail components and starting them will exceed sane limits, no. This was initial setup for testing, installing enough system software to run as a normal desktop. This was either a VM configured as a remote access host (1GB RAM, 2GB swap, 6GB disk, running off SSD), or a laptop, 2GB RAM, otherwise ~200GB disk.
Lets also ask dovecot maintainer.
Dovecot uses setrlimit and changes it's limit (sometime increase, sometime decrease) to match it's needs and not waste too much (if something goes wrong). for example login process: static void main_preinit(bool allow_core_dumps) { ... ... /* set the number of fds we want to use. it may get increased or decreased. leave a couple of extra fds for auth sockets and such. worst case each connection can use: - 1 for client - 1 for login proxy - 2 for client-side ssl proxy - 2 for server-side ssl proxy (with login proxy) */ max_fds = MASTER_LISTEN_FD_FIRST + 16 + master_service_get_socket_count(master_service) + master_service_get_client_limit(master_service)*6; restrict_fd_limit(max_fds); ^^^ calls setrlimit(RLIMIT_NOFILE,...
7f66b60e21bac02dadbb71be1d305b44622db4f6 allows this in git.
commit 8302ce68ee7c9b03a7d0958faf176da3a1cbbcec Author: Dan Walsh <dwalsh> Date: Sun Feb 1 08:03:23 2015 -0500 Allow dovecot domains to use sys_resouce
selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21
Package selinux-policy-3.13.1-105.3.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.