FC5 services that will not start
Paul Howarth
paul at city-fan.org
Mon Jun 26 16:20:23 UTC 2006
Chris Jones wrote:
> Paul Howarth wrote:
>> Chris Jones wrote:
>>> Paul Howarth wrote:
>>>> Chris Jones wrote:
>>>>> Paul Howarth wrote:
>>>>>> On Sun, 2006-06-25 at 23:16 +0100, Chris Jones wrote:
>>>>>>
>>>>>>> I am using FC5 on a generic Athlon x64 PC. I am having problems
>>>>>>> with several services.
>>>>>>>
>>>>>>> 1. Dovecot refuses to start. When I attempt to start the service
>>>>>>> I get a message in /var/log/messages as follows:
>>>>>>> Jun 25 23:05:38 bilbo kernel: audit(1151273138.255:415): avc:
>>>>>>> denied { create } for pid=1480 comm="dovecot"
>>>>>>> scontext=user_u:system_r:dovecot_t:s0
>>>>>>> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
>>>>>>>
>>>>>>> Can anyone here give me a hint on what I need to do to get this
>>>>>>> working? >From the log message, this seems to be something to do
>>>>>>> with selinux.
>>>>>>>
>>>>>>
>>>>>> Indeed it is. Some more diagnostic info would be useful. Can you post
>>>>>> the output of:
>>>>>>
>>>>>> # ausearch -a 415
>>>>>>
>>>>> produces the output >
>>>>> [root at bilbo network-scripts]# ausearch -a 415
>>>>> -bash: ausearch: command not found
>>>>>
>>>>> Clearly, I am missing this application. Where should it be? Which RPM?
>>>>
>>>> It's in the "audit" package.
>>>>
>>> Now when I run this, I get the following response:>
>>> [root at bilbo network-scripts]# ausearch -a 415
>>> <no matches>
>>
>> Have you rebooted since the error happened?
>>
>> Try this instead:
>>
>> # fgrep 1151273138.255:415 /var/log/messages
>>
> Results in:
> Jun 25 23:05:38 bilbo kernel: audit(1151273138.255:415): avc: denied {
> create } for pid=1480 comm="dovecot"
> scontext=user_u:system_r:dovecot_t:s0
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
>
> Which is the last time I tried to start dovecot yesterday.
>
> Having started the auditd service and then tried to start dovecot, I see
> the following in the audit log file:>
> type=AVC msg=audit(1151335194.177:97): avc: denied { create } for
> pid=7668 comm="dovecot" scontext=user_u:system_r:dovecot_t:s0
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> type=SYSCALL msg=audit(1151335194.177:97): arch=c000003e syscall=41
> success=no exit=-13 a0=0 a1=1 a2=0 a3=521040 items=0 pid=7668
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="dovecot" exe="/usr/sbin/dovecot"
> type=AVC msg=audit(1151335246.188:98): avc: denied { create } for
> pid=7682 comm="dovecot" scontext=user_u:system_r:dovecot_t:s0
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> type=SYSCALL msg=audit(1151335246.188:98): arch=c000003e syscall=41
> success=no exit=-13 a0=0 a1=1 a2=0 a3=521040 items=0 pid=7682
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="dovecot" exe="/usr/sbin/dovecot"
>
> and a call to ausearch -a 98 gives:>
> [root at bilbo audit]# ausearch -a 98
> ----
> time->Mon Jun 26 16:20:46 2006
> type=SYSCALL msg=audit(1151335246.188:98): arch=c000003e syscall=41
> success=no exit=-13 a0=0 a1=1 a2=0 a3=521040 items=0 pid=7682
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="dovecot" exe="/usr/sbin/dovecot"
> type=AVC msg=audit(1151335246.188:98): avc: denied { create } for
> pid=7682 comm="dovecot" scontext=user_u:system_r:dovecot_t:s0
> tcontext=user_u:system_r:dovecot_t:s0 tclass=socket
> [root at bilbo audit]#
Well you're doing something that's not currently in the dovecot policy.
Are you doing anything "unusual" in your dovecot.conf?
I'm got a pretty "vanilla" setup, which doesn't need any SELinux tweaking:
# grep '^ *[^ #]' /etc/dovecot.conf
protocols = imap imaps
ssl_cert_file = /etc/pki/tls/certs/city-fan-imap.crt
ssl_key_file = /etc/pki/tls/certs/city-fan-imap.key
default_mail_env = maildir:%h/mail/inbox
maildir_copy_with_hardlinks = yes
protocol imap {
listen = 127.0.0.1
ssl_listen = *
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
postmaster_address = postmaster at example.com
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
}
plugin {
}
It's pretty easy to fix the issue you're having in FC5, but I'd like to
understand it first...
Paul.
More information about the users
mailing list