I think I have a module problem with SELinux. Laurent is on an x86_64 box and can't help me any further...
On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
Thanks Laurent. You obviously know a LOT more about SELinux than I. I pretty much just use commands and not build policies. So I need some more information here.
From what you provided below, how do I determine what is currently in place and how do I add your stuff (changing postgresql with mysql, nat.)
thanks
Quick’n’(really) dirty SELinux howto:
- Run the service. fails due to missing selinux policy.
- grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy
Do you really mean 'service_pattern', or is this a placeholder for something like mysql?
As I get 'Nothing to do'
placeholder which changes according to your needs.
I just made it worst. I put in mysql for myservice_policy, got a /pp and did:
semodule -i myservice_policy.pp
Now I get real errors like:
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp 00000000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 00000000 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 00000000 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p 0001e000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p 0001f000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 00000000 00:00 0 [stack] Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 00000000 00:00 0 [sigpage] Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
Which go away if I setenforce 0. :(
myservice_policy.te has:
module myservice_policy 1.0;
require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; }
#============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read };
#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto;
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I am trying to delete the problem policies I added, but so far can't. Meanwhile something, I think, is writing to memory where it shouldn't?
Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df0000-b6df1000 rw-p 0013d000 08:03 6084 /usr/lib/libc-2.17.so Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df1000-b6df4000 rw-p 00000000 00:00 0 Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df4000-b6e12000 r-xp 00000000 08:03 3988 /usr/lib/libgcc_s-4.8.5-20150702.so.1 Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6e12000-b6e21000 ---p 0001e000 08:03 3988 /usr/lib/libgcc_s-4.8.5-20150702.so.1
?
On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
I think I have a module problem with SELinux. Laurent is on an x86_64 box and can't help me any further...
On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
Thanks Laurent. You obviously know a LOT more about SELinux than I. I pretty much just use commands and not build policies. So I need some more information here.
From what you provided below, how do I determine what is currently in place and how do I add your stuff (changing postgresql with mysql, nat.)
thanks
Quick’n’(really) dirty SELinux howto:
- Run the service. fails due to missing selinux policy.
- grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy
Do you really mean 'service_pattern', or is this a placeholder for something like mysql?
As I get 'Nothing to do'
placeholder which changes according to your needs.
I just made it worst. I put in mysql for myservice_policy, got a /pp and did:
semodule -i myservice_policy.pp
Now I get real errors like:
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp 00000000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 00000000 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 00000000 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p 0001e000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p 0001f000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 00000000 00:00 0 [stack] Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 00000000 00:00 0 [sigpage] Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
Which go away if I setenforce 0. :(
myservice_policy.te has:
module myservice_policy 1.0;
require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; }
#============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read };
#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto;
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
I got the problem policy removed.
Now I have to figure out how to get dovecot working with mysql with selinux enforcing...
sigh.
On 04/26/2017 12:05 AM, Robert Moskowitz wrote:
I am trying to delete the problem policies I added, but so far can't. Meanwhile something, I think, is writing to memory where it shouldn't?
Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df0000-b6df1000 rw-p 0013d000 08:03 6084 /usr/lib/libc-2.17.so Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df1000-b6df4000 rw-p 00000000 00:00 0 Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df4000-b6e12000 r-xp 00000000 08:03 3988 /usr/lib/libgcc_s-4.8.5-20150702.so.1 Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6e12000-b6e21000 ---p 0001e000 08:03 3988 /usr/lib/libgcc_s-4.8.5-20150702.so.1
?
On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
I think I have a module problem with SELinux. Laurent is on an x86_64 box and can't help me any further...
On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
Thanks Laurent. You obviously know a LOT more about SELinux than I. I pretty much just use commands and not build policies. So I need some more information here.
From what you provided below, how do I determine what is currently in place and how do I add your stuff (changing postgresql with mysql, nat.)
thanks
Quick’n’(really) dirty SELinux howto:
- Run the service. fails due to missing selinux policy.
- grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy
Do you really mean 'service_pattern', or is this a placeholder for something like mysql?
As I get 'Nothing to do'
placeholder which changes according to your needs.
I just made it worst. I put in mysql for myservice_policy, got a /pp and did:
semodule -i myservice_policy.pp
Now I get real errors like:
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp 00000000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 00000000 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 00000000 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p 0001e000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p 0001f000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 00000000 00:00 0 [stack] Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 00000000 00:00 0 [sigpage] Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
Which go away if I setenforce 0. :(
myservice_policy.te has:
module myservice_policy 1.0;
require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; }
#============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read };
#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto;
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
I think I have a module problem with SELinux. Laurent is on an x86_64 box and can't help me any further...
I just made it worst. I put in mysql for myservice_policy, got a /pp and did:
semodule -i myservice_policy.pp
myservice_policy.te has:
module myservice_policy 1.0;
require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; }
#============= dovecot_t ============== allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read };
#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto;
This allow seems to be what I need, based on what I have found in my googling. But when I install this policy, I get errors. forking off the audit logs I see, when I use sendmail locally:
type=SYSCALL msg=audit(1493187952.091:28323): arch=40000028 syscall=11 per=800000 success=yes exit=0 a0=45388b0 a1=35ead30 a2=5264b40 a3=100 items=0 ppid=7341 pid=11879 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null) type=PROCTITLE msg=audit(1493187952.091:28323): proctitle=2F7573722F62696E2F66696C650070303031 type=ANOM_ABEND msg=audit(1493187955.055:28324): auid=4294967295 uid=97 gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11893 comm="dict" exe="/usr/libexec/dovecot/dict" sig=6 type=USER_ACCT msg=audit(1493187961.642:28325): pid=11895 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1493187961.645:28326): pid=11895 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1493187961.653:28327): pid=11895 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=3927 res=1 type=USER_START msg=audit(1493187961.910:28328): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1493187961.922:28329): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1493187962.135:28330): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1493187962.148:28331): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SELINUX_ERR msg=audit(1493188004.599:28332): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:unconfined_service_t:s0 type=SYSCALL msg=audit(1493188004.599:28332): arch=40000028 syscall=11 per=800000 success=yes exit=0 a0=45388b0 a1=522fe00 a2=5266cf0 a3=100 items=0 ppid=7342 pid=11918 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null) type=PROCTITLE msg=audit(1493188004.599:28332): proctitle=2F7573722F62696E2F66696C650070303031 type=ANOM_ABEND msg=audit(1493188006.218:28333): auid=4294967295 uid=97 gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11921 comm="dict" exe="/usr/libexec/dovecot/dict" sig=6 type=USER_ACCT msg=audit(1493188021.284:28334): pid=11923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1493188021.289:28335): pid=11923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1493188021.293:28336): pid=11923 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=3928 res=1 type=USER_START msg=audit(1493188021.528:28337): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1493188021.532:28338): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1493188021.734:28339): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1493188021.746:28340): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Is this needing a bug report?
-
Robert Moskowitz