Re: [Dovecot] deliver triggering SELinux AVC denials
On Tue, 2008-01-01 at 21:36 -0600, [EMAIL PROTECTED] wrote: > >From: Timo Sirainen <[EMAIL PROTECTED]> > >Date: 2008/01/01 Tue PM 09:18:05 CST > >To: Gerry Reno <[EMAIL PROTECTED]> > >Cc: dovecot@dovecot.org > >Subject: Re: [Dovecot] deliver triggering SELinux AVC denials > ... > >Set dotlock_use_excl=yes to see what file it's really wanting to create. > > Ok, did that. And looking at all the alerts it appears to be any file that > deliver is trying to write under /home/vmail. .. > but for some reason even though deliver is setup to run as vmail:vmail it is > still having permission problems. Well, Dovecot's default SELinux permissions often seem to disallow writing under /home.. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] deliver triggering SELinux AVC denials
>From: Timo Sirainen <[EMAIL PROTECTED]> >Date: 2008/01/01 Tue PM 09:18:05 CST >To: Gerry Reno <[EMAIL PROTECTED]> >Cc: dovecot@dovecot.org >Subject: Re: [Dovecot] deliver triggering SELinux AVC denials ... >Set dotlock_use_excl=yes to see what file it's really wanting to create. Ok, did that. And looking at all the alerts it appears to be any file that deliver is trying to write under /home/vmail. My users are all virtual and they all exist like: /home/vmail/example.com/john typical permissions: -rw--- 1 vmail vmail 464 2008-01-01 20:06 dovecot.index.log but for some reason even though deliver is setup to run as vmail:vmail it is still having permission problems. dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient} Gerry
Re: [Dovecot] deliver triggering SELinux AVC denials
On Tue, 2008-01-01 at 22:06 -0500, Gerry Reno wrote: > I setup postfix/dovecot on a new machine and now all works well with the > small exception of dovecot triggering selinux avc denials on some > temp... files here is a sample alert: > > Summary > SELinux is preventing /usr/libexec/dovecot/deliver (dovecot_deliver_t) > "link" to temp.localhost.678.40caaf5592891c46 (user_home_dir_t). Set dotlock_use_excl=yes to see what file it's really wanting to create. signature.asc Description: This is a digitally signed message part