Summary: SELinux is preventing /usr/sbin/dovecot "name_bind" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by dovecot. It is not expected that this access is required by dovecot and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:dovecot_t:s0 Target Context system_u:object_r:dovecot_t:s0 Target Objects None [ tcp_socket ] Source dovecot Source Path /usr/sbin/dovecot Port 2993 Host (removed) Source RPM Packages dovecot-1.2.11-3.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.5-124.fc13.i686.PAE #1 SMP Fri Jun 11 09:42:24 UTC 2010 i686 i686 Alert Count 9 First Seen Tue 22 Jun 2010 08:01:47 PM PDT Last Seen Sun 27 Jun 2010 10:53:44 PM PDT Local ID 8f63af6d-5b8e-4ac3-8ea9-448046717279 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277704424.96:7): avc: denied { name_bind } for pid=1688 comm="dovecot" src=2993 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1277704424.96:7): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfe75390 a2=9d68060 a3=6 items=0 ppid=1687 pid=1688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dovecot" exe="/usr/sbin/dovecot" subj=system_u:system_r:dovecot_t:s0 key=(null) Hash String generated from catchall,dovecot,dovecot_t,dovecot_t,tcp_socket,name_bind audit2allow suggests: #============= dovecot_t ============== allow dovecot_t self:tcp_socket name_bind;
It looks like you added dovecot_t domain type for tcp/2993 port?
I don't remember adding any custom selinux policy for dovecot (perhaps I forgot), but I have found a dovecot_t,tcp,s0,2993 entry in the SELinux mgmt tool. I am running dovecot on tcp/2993. Is there something else I should do to allow dovecot to listen on that port?
Daniel, execute # semanage port -d -t dovecot_t -p tcp 2993 Will remove the port mapping and then you can add local policy for now using # cat > mydovecot.te << _EOF policy_module(mydovecot, 1.0) require { type dovecot_t; type port_t; } allow dovecot_t port_t:tcp_socket name_bind; _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i mydovecot.pp
Done. I will update if I see any new, related errors. For future reference, is there some way I could have avoided this problem? I don't think I should blindly apply audit2allow.
This is the best way. I mean reporting bug as in this case. Then we will investigate if the service really needs to use a port and if yes we will add a new type for this port.
could you please attach your dovecot.conf (you can replace all sensitive data by replacing them with "REMOVED") or at least attach output of dovecot -n thanks
Created attachment 430507 [details] my dovecot.conf
Ok, then just execute # semanage port -a -t pop_port_t -p tcp 2993 Will fix for you. Also remove your local policy # semodule -r mydovecot.pp
Done. Thanks.