| 1 |
Hi Markus, |
| 2 |
|
| 3 |
On Sat, Jun 17, 2006 at 04:59:28PM +0200, Markus Wagner wrote: |
| 4 |
> Hi, |
| 5 |
> |
| 6 |
> I'm currently trying to switch my server to SELinux. |
| 7 |
> |
| 8 |
> I've successfully managed to get most of my services running, only |
| 9 |
> courier-imapd-ssl remaining. |
| 10 |
> |
| 11 |
> In permissive mode it is possible to connect to the imapd-server and do |
| 12 |
> usual stuff without any denied messages. |
| 13 |
> In enforcing mode the service starts without any problems, but when |
| 14 |
> trying to connect to the server the connection fails with message in the |
| 15 |
> client that number of max ips has been reached. |
| 16 |
> |
| 17 |
> There are no avc-messages reported. |
| 18 |
> In /var/log/mail.log i get this: |
| 19 |
> Jun 17 17:48:47 gentoo imapd-ssl: couriertls: connect: |
| 20 |
> error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback |
| 21 |
> failed |
| 22 |
> Jun 17 17:48:49 gentoo imapd-ssl: couriertls: connect: |
| 23 |
> error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback |
| 24 |
> failed |
| 25 |
> |
| 26 |
> There has to be a problem with the imapd-server initiating a |
| 27 |
> SSL-connection in enforcing mode but why? |
| 28 |
|
| 29 |
I cannot replicate this on my server. have a look at http://bugs.gentoo.org/show_bug.cgi?id=125354 |
| 30 |
I did not understand what the actual fix was :/ |
| 31 |
|
| 32 |
first try to locate the actual problem: |
| 33 |
|
| 34 |
dmesg -c |
| 35 |
cd /etc/security/selinux/src/policy |
| 36 |
make enableaudit |
| 37 |
make load |
| 38 |
# replicate the problem |
| 39 |
audit2allow -d |
| 40 |
|
| 41 |
you might need to add something like |
| 42 |
|
| 43 |
allow courier_tcpd_t random_device_t:chr_file r_file_perms; |
| 44 |
or |
| 45 |
allow courier_imap_t random_device_t:chr_file r_file_perms; |
| 46 |
|
| 47 |
cheers, |
| 48 |
peter |
| 49 |
|
| 50 |
-- |
| 51 |
petre rodan |
| 52 |
<kaiowas@g.o> |
| 53 |
Developer, |
| 54 |
Hardened Gentoo Linux |
Archives