On Mon, 2006-03-27 at 14:40 -0500, Adam H. Pendleton wrote:
> I am setting up dovecot with postgresql for virtual users, but when I
> configure dovecot to talk to postgresql, SELinux denies the TCP connection:
>
> Mar 27 14:25:53 aragorn kernel: audit(1143487553.158:4): avc: denied {
> name_connect } for pid=2909 comm="dovecot-auth" dest=5432
> scontext=user_u:system_r:dovecot_auth_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> Mar 27 14:26:53 aragorn kernel: audit(1143487613.737:5): avc: denied {
> name_connect } for pid=2939 comm="dovecot-auth" dest=5432
> scontext=user_u:system_r:dovecot_auth_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
>
> Okay, so while I understand that SELinux is preventing dovecot from
> making a connection to the postgresql tcp port, I don't really
> understand what the "correct" way to fix it is. I don't want to turn
> off SELinux enforcement, but I also don't want to open up more than I
> should trying to fix it. What's the best way to allow this connection?
To fix small SELinux issues like this, you can create a local policy
module to allow the specific connection:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
However, given that this is something quite a lot of people would like
to do, I'd also suggest raising a bugzilla ticket on the SELinux polcy
you're using once you've got it working. Attach your module to the
ticket.
(this is for FC5 by the way; things are different for older distros)
Paul.
