dovecot and allow_ypbind
Daniel J Walsh
dwalsh at redhat.com
Tue May 29 13:51:02 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/29/2012 08:55 AM, Dominick Grift wrote:
> On Tue, 2012-05-29 at 13:50 +0100, lejeczek wrote:
>> hi everybody
>>
>> I wonder why dovecot when run with spool in users home's would need
>> allow_ypbind=1 would you know?
>
> What AVC denials are you seeying? Setroubleshoot and/or audit2why does not
> make optimal suggestions.
>
>> thanks!
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes setroubleshoot and audit2allow/audit2why is just looking for a boolean
that would allow the access. allow_ypbind is a very powerful boolean which
allows all apps that call getpw to listen on any port and to connect to any
port. Unless you are actually using NIS/YP in your environment you should
never turn on allow_ypbind.
Most likely dovecot is to connect or listen on an unexpected port. So you
could either add custom policy or modify the ports that dovecot
listens/connects too. Best to show us the AVC.s
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/E1EUACgkQrlYvE4MpobNcCwCgzE8sZUOhFsmB1gooWrbVyksC
rsQAoJslvI6V9lhPzaBfmL22/XfEbEyJ
=0bYj
-----END PGP SIGNATURE-----
More information about the selinux
mailing list