[Arm-dev] SElinux module problem - Re: SELinux policy to allow Dovecot to connect to Mysql

Robert Moskowitz rgm at htt-consult.com
Wed Apr 26 07:46:03 UTC 2017 


On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
> I think I have a module problem with SELinux.  Laurent is on an x86_64 
> box and can't help me any further...
>
>
> I just made it worst.  I put in mysql for myservice_policy, got a /pp 
> and did:
>
> semodule -i myservice_policy.pp
>
> myservice_policy.te has:
>
>
> module myservice_policy 1.0;
>
> require {
>      type dovecot_t;
>      type mysqld_etc_t;
>      type mysqld_t;
>      class unix_stream_socket connectto;
>      class file { getattr open read };
>      class dir read;
> }
>
> #============= dovecot_t ==============
> allow dovecot_t mysqld_etc_t:dir read;
> allow dovecot_t mysqld_etc_t:file { getattr open read };
>
> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
> #!!!! This avc can be allowed using the boolean 
> 'daemons_enable_cluster_mode'
> allow dovecot_t mysqld_t:unix_stream_socket connectto;

This allow seems to be what I need, based on what I have found in my 
googling.  But when I install this policy, I get errors.  forking off 
the audit logs I see, when I use sendmail locally:

type=SYSCALL msg=audit(1493187952.091:28323): arch=40000028 syscall=11 
per=800000 success=yes exit=0 a0=45388b0 a1=35ead30 a2=5264b40 a3=100 
items=0 ppid=7341 pid=11879 auid=4294967295 uid=994 gid=991 euid=994 
suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 
comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1493187952.091:28323): 
proctitle=2F7573722F62696E2F66696C650070303031
type=ANOM_ABEND msg=audit(1493187955.055:28324): auid=4294967295 uid=97 
gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11893 
comm="dict" exe="/usr/libexec/dovecot/dict" sig=6
type=USER_ACCT msg=audit(1493187961.642:28325): pid=11895 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1493187961.645:28326): pid=11895 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1493187961.653:28327): pid=11895 uid=0 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 
tty=(none) old-ses=4294967295 ses=3927 res=1
type=USER_START msg=audit(1493187961.910:28328): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1493187961.922:28329): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1493187962.135:28330): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1493187962.148:28331): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_close 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SELINUX_ERR msg=audit(1493188004.599:28332): 
op=security_bounded_transition seresult=denied 
oldcontext=system_u:system_r:init_t:s0 
newcontext=system_u:system_r:unconfined_service_t:s0
type=SYSCALL msg=audit(1493188004.599:28332): arch=40000028 syscall=11 
per=800000 success=yes exit=0 a0=45388b0 a1=522fe00 a2=5266cf0 a3=100 
items=0 ppid=7342 pid=11918 auid=4294967295 uid=994 gid=991 euid=994 
suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 
comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1493188004.599:28332): 
proctitle=2F7573722F62696E2F66696C650070303031
type=ANOM_ABEND msg=audit(1493188006.218:28333): auid=4294967295 uid=97 
gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11921 
comm="dict" exe="/usr/libexec/dovecot/dict" sig=6
type=USER_ACCT msg=audit(1493188021.284:28334): pid=11923 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1493188021.289:28335): pid=11923 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1493188021.293:28336): pid=11923 uid=0 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 
tty=(none) old-ses=4294967295 ses=3928 res=1
type=USER_START msg=audit(1493188021.528:28337): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1493188021.532:28338): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1493188021.734:28339): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1493188021.746:28340): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_close 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Is this needing a bug report?

More information about the Arm-dev mailing list