[Arm-dev] SElinux module problem - Re: SELinux policy to allow Dovecot to connect to Mysql
Robert Moskowitz
rgm at htt-consult.com
Wed Apr 26 07:46:03 UTC 2017
On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
> I think I have a module problem with SELinux. Laurent is on an x86_64
> box and can't help me any further...
>
>
> I just made it worst. I put in mysql for myservice_policy, got a /pp
> and did:
>
> semodule -i myservice_policy.pp
>
> myservice_policy.te has:
>
>
> module myservice_policy 1.0;
>
> require {
> type dovecot_t;
> type mysqld_etc_t;
> type mysqld_t;
> class unix_stream_socket connectto;
> class file { getattr open read };
> class dir read;
> }
>
> #============= dovecot_t ==============
> allow dovecot_t mysqld_etc_t:dir read;
> allow dovecot_t mysqld_etc_t:file { getattr open read };
>
> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
> #!!!! This avc can be allowed using the boolean
> 'daemons_enable_cluster_mode'
> allow dovecot_t mysqld_t:unix_stream_socket connectto;
This allow seems to be what I need, based on what I have found in my
googling. But when I install this policy, I get errors. forking off
the audit logs I see, when I use sendmail locally:
type=SYSCALL msg=audit(1493187952.091:28323): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=45388b0 a1=35ead30 a2=5264b40 a3=100
items=0 ppid=7341 pid=11879 auid=4294967295 uid=994 gid=991 euid=994
suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295
comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1493187952.091:28323):
proctitle=2F7573722F62696E2F66696C650070303031
type=ANOM_ABEND msg=audit(1493187955.055:28324): auid=4294967295 uid=97
gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11893
comm="dict" exe="/usr/libexec/dovecot/dict" sig=6
type=USER_ACCT msg=audit(1493187961.642:28325): pid=11895 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond"
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1493187961.645:28326): pid=11895 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=?
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1493187961.653:28327): pid=11895 uid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0
tty=(none) old-ses=4294967295 ses=3927 res=1
type=USER_START msg=audit(1493187961.910:28328): pid=11895 uid=0 auid=0
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1493187961.922:28329): pid=11895 uid=0 auid=0
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1493187962.135:28330): pid=11895 uid=0 auid=0
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1493187962.148:28331): pid=11895 uid=0 auid=0
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_close
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SELINUX_ERR msg=audit(1493188004.599:28332):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:init_t:s0
newcontext=system_u:system_r:unconfined_service_t:s0
type=SYSCALL msg=audit(1493188004.599:28332): arch=40000028 syscall=11
per=800000 success=yes exit=0 a0=45388b0 a1=522fe00 a2=5266cf0 a3=100
items=0 ppid=7342 pid=11918 auid=4294967295 uid=994 gid=991 euid=994
suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295
comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1493188004.599:28332):
proctitle=2F7573722F62696E2F66696C650070303031
type=ANOM_ABEND msg=audit(1493188006.218:28333): auid=4294967295 uid=97
gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11921
comm="dict" exe="/usr/libexec/dovecot/dict" sig=6
type=USER_ACCT msg=audit(1493188021.284:28334): pid=11923 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond"
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1493188021.289:28335): pid=11923 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=?
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1493188021.293:28336): pid=11923 uid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0
tty=(none) old-ses=4294967295 ses=3928 res=1
type=USER_START msg=audit(1493188021.528:28337): pid=11923 uid=0 auid=0
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1493188021.532:28338): pid=11923 uid=0 auid=0
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1493188021.734:28339): pid=11923 uid=0 auid=0
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1493188021.746:28340): pid=11923 uid=0 auid=0
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_close
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Is this needing a bug report?
More information about the Arm-dev
mailing list