Re: [Dovecot] deliver triggering SELinux AVC denials

2008-01-10 Thread Timo Sirainen 
On Tue, 2008-01-01 at 21:36 -0600, [EMAIL PROTECTED] wrote:
> >From: Timo Sirainen <[EMAIL PROTECTED]>
> >Date: 2008/01/01 Tue PM 09:18:05 CST
> >To: Gerry Reno <[EMAIL PROTECTED]>
> >Cc: dovecot@dovecot.org
> >Subject: Re: [Dovecot] deliver triggering SELinux AVC denials
> ...
> >Set dotlock_use_excl=yes to see what file it's really wanting to create.
> 
> Ok, did that.  And looking at all the alerts it appears to be any file that 
> deliver is trying to write under /home/vmail.
..
> but for some reason even though deliver is setup to run as vmail:vmail it is 
> still having permission problems.

Well, Dovecot's default SELinux permissions often seem to disallow
writing under /home..



signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] deliver triggering SELinux AVC denials

2008-01-01 Thread greno 
>From: Timo Sirainen <[EMAIL PROTECTED]>
>Date: 2008/01/01 Tue PM 09:18:05 CST
>To: Gerry Reno <[EMAIL PROTECTED]>
>Cc: dovecot@dovecot.org
>Subject: Re: [Dovecot] deliver triggering SELinux AVC denials
...
>Set dotlock_use_excl=yes to see what file it's really wanting to create.

Ok, did that.  And looking at all the alerts it appears to be any file that 
deliver is trying to write under /home/vmail.

My users are all virtual and they all exist like:
/home/vmail/example.com/john

typical permissions:
-rw--- 1 vmail vmail   464 2008-01-01 20:06 dovecot.index.log

but for some reason even though deliver is setup to run as vmail:vmail it is 
still having permission problems.

dovecot   unix  -   n   n   -   -   pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d 
${recipient}




Gerry

Re: [Dovecot] deliver triggering SELinux AVC denials

2008-01-01 Thread Timo Sirainen 
On Tue, 2008-01-01 at 22:06 -0500, Gerry Reno wrote:
> I setup postfix/dovecot on a new machine and now all works well with the 
> small exception of dovecot triggering selinux avc denials on some 
> temp... files here is a sample alert:
> 
> Summary
> SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t)
> "link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t).

Set dotlock_use_excl=yes to see what file it's really wanting to create.



signature.asc
Description: This is a digitally signed message part