[Arm-dev] SElinux module problem - Re: SELinux policy to allow Dovecot to connect to Mysql

Robert Moskowitz rgm at htt-consult.com
Tue Apr 25 22:31:15 UTC 2017


I got the problem policy removed.

Now I have to figure out how to get dovecot working with mysql with 
selinux enforcing...

sigh.

On 04/26/2017 12:05 AM, Robert Moskowitz wrote:
> I am trying to delete the problem policies I added, but so far can't.  
> Meanwhile something, I think, is writing to memory where it shouldn't?
>
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df0000-b6df1000 rw-p 
> 0013d000 08:03 6084       /usr/lib/libc-2.17.so
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df1000-b6df4000 rw-p 
> 00000000 00:00 0
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df4000-b6e12000 r-xp 
> 00000000 08:03 3988       /usr/lib/libgcc_s-4.8.5-20150702.so.1
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6e12000-b6e21000 ---p 
> 0001e000 08:03 3988       /usr/lib/libgcc_s-4.8.5-20150702.so.1
>
> ?
>
> On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
>> I think I have a module problem with SELinux.  Laurent is on an 
>> x86_64 box and can't help me any further...
>>
>>
>> On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
>>> Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
>>>> On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
>>>>> Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
>>>>>> Thanks Laurent.  You obviously know a LOT more about SELinux than 
>>>>>> I.  I
>>>>>> pretty much just use commands and not build policies. So I need some
>>>>>> more information here.
>>>>>>
>>>>>>    From what you provided below, how do I determine what is 
>>>>>> currently in
>>>>>> place and how do I add your stuff (changing postgresql with 
>>>>>> mysql, nat.)
>>>>>>
>>>>>> thanks
>>>>> Quick’n’(really) dirty SELinux howto:
>>>>> 1) Run the service. fails due to missing selinux policy.
>>>>> 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
>>>>> myservice_policy
>>>> Do you really mean 'service_pattern', or is this a placeholder for
>>>> something like mysql?
>>>>
>>>> As I get 'Nothing to do'
>>> placeholder which changes according to your needs.
>> I just made it worst.  I put in mysql for myservice_policy, got a /pp 
>> and did:
>>
>> semodule -i myservice_policy.pp
>>
>>
>> Now I get real errors like:
>>
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp 
>> 00000000 08:03 6076       /usr/lib/ld-2.17.so
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 
>> 00000000 00:00 0
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 
>> 00000000 00:00 0
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p 
>> 0001e000 08:03 6076       /usr/lib/ld-2.17.so
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p 
>> 0001f000 08:03 6076       /usr/lib/ld-2.17.so
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 
>> 00000000 00:00 0          [stack]
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 
>> 00000000 00:00 0          [sigpage]
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 
>> 00000000 00:00 0          [vectors]
>>
>> Which go away if I setenforce 0.  :(
>>
>> myservice_policy.te has:
>>
>>
>> module myservice_policy 1.0;
>>
>> require {
>>      type dovecot_t;
>>      type mysqld_etc_t;
>>      type mysqld_t;
>>      class unix_stream_socket connectto;
>>      class file { getattr open read };
>>      class dir read;
>> }
>>
>> #============= dovecot_t ==============
>> allow dovecot_t mysqld_etc_t:dir read;
>> allow dovecot_t mysqld_etc_t:file { getattr open read };
>>
>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
>> #!!!! This avc can be allowed using the boolean 
>> 'daemons_enable_cluster_mode'
>> allow dovecot_t mysqld_t:unix_stream_socket connectto;
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> Arm-dev mailing list
>> Arm-dev at centos.org
>> https://lists.centos.org/mailman/listinfo/arm-dev
>
> _______________________________________________
> Arm-dev mailing list
> Arm-dev at centos.org
> https://lists.centos.org/mailman/listinfo/arm-dev



More information about the Arm-dev mailing list