1 |
Hi Markus, |
2 |
|
3 |
On Sat, Jun 17, 2006 at 04:59:28PM +0200, Markus Wagner wrote: |
4 |
> Hi, |
5 |
> |
6 |
> I'm currently trying to switch my server to SELinux. |
7 |
> |
8 |
> I've successfully managed to get most of my services running, only |
9 |
> courier-imapd-ssl remaining. |
10 |
> |
11 |
> In permissive mode it is possible to connect to the imapd-server and do |
12 |
> usual stuff without any denied messages. |
13 |
> In enforcing mode the service starts without any problems, but when |
14 |
> trying to connect to the server the connection fails with message in the |
15 |
> client that number of max ips has been reached. |
16 |
> |
17 |
> There are no avc-messages reported. |
18 |
> In /var/log/mail.log i get this: |
19 |
> Jun 17 17:48:47 gentoo imapd-ssl: couriertls: connect: |
20 |
> error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback |
21 |
> failed |
22 |
> Jun 17 17:48:49 gentoo imapd-ssl: couriertls: connect: |
23 |
> error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback |
24 |
> failed |
25 |
> |
26 |
> There has to be a problem with the imapd-server initiating a |
27 |
> SSL-connection in enforcing mode but why? |
28 |
|
29 |
I cannot replicate this on my server. have a look at http://bugs.gentoo.org/show_bug.cgi?id=125354 |
30 |
I did not understand what the actual fix was :/ |
31 |
|
32 |
first try to locate the actual problem: |
33 |
|
34 |
dmesg -c |
35 |
cd /etc/security/selinux/src/policy |
36 |
make enableaudit |
37 |
make load |
38 |
# replicate the problem |
39 |
audit2allow -d |
40 |
|
41 |
you might need to add something like |
42 |
|
43 |
allow courier_tcpd_t random_device_t:chr_file r_file_perms; |
44 |
or |
45 |
allow courier_imap_t random_device_t:chr_file r_file_perms; |
46 |
|
47 |
cheers, |
48 |
peter |
49 |
|
50 |
-- |
51 |
petre rodan |
52 |
<kaiowas@g.o> |
53 |
Developer, |
54 |
Hardened Gentoo Linux |