I got the problem policy removed.
Now I have to figure out how to get dovecot working with mysql with
selinux enforcing...
sigh.
On 04/26/2017 12:05 AM, Robert Moskowitz wrote:
> I am trying to delete the problem policies I added, but so far can't.
> Meanwhile something, I think, is writing to memory where it shouldn't?
>
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df0000-b6df1000 rw-p
> 0013d000 08:03 6084 /usr/lib/libc-2.17.so
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df1000-b6df4000 rw-p
> 00000000 00:00 0
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6df4000-b6e12000 r-xp
> 00000000 08:03 3988 /usr/lib/libgcc_s-4.8.5-20150702.so.1
> Apr 25 18:02:20 z9m9z dovecot: dict: Error: b6e12000-b6e21000 ---p
> 0001e000 08:03 3988 /usr/lib/libgcc_s-4.8.5-20150702.so.1
>
> ?
>
> On 04/25/2017 11:47 AM, Robert Moskowitz wrote:
>> I think I have a module problem with SELinux. Laurent is on an
>> x86_64 box and can't help me any further...
>>
>>
>> On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
>>> Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
>>>> On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
>>>>> Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
>>>>>> Thanks Laurent. You obviously know a LOT more about SELinux than
>>>>>> I. I
>>>>>> pretty much just use commands and not build policies. So I need some
>>>>>> more information here.
>>>>>>
>>>>>> From what you provided below, how do I determine what is
>>>>>> currently in
>>>>>> place and how do I add your stuff (changing postgresql with
>>>>>> mysql, nat.)
>>>>>>
>>>>>> thanks
>>>>> Quick’n’(really) dirty SELinux howto:
>>>>> 1) Run the service. fails due to missing selinux policy.
>>>>> 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
>>>>> myservice_policy
>>>> Do you really mean 'service_pattern', or is this a placeholder for
>>>> something like mysql?
>>>>
>>>> As I get 'Nothing to do'
>>> placeholder which changes according to your needs.
>> I just made it worst. I put in mysql for myservice_policy, got a /pp
>> and did:
>>
>> semodule -i myservice_policy.pp
>>
>>
>> Now I get real errors like:
>>
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp
>> 00000000 08:03 6076 /usr/lib/ld-2.17.so
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p
>> 00000000 00:00 0
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p
>> 00000000 00:00 0
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p
>> 0001e000 08:03 6076 /usr/lib/ld-2.17.so
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p
>> 0001f000 08:03 6076 /usr/lib/ld-2.17.so
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p
>> 00000000 00:00 0 [stack]
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp
>> 00000000 00:00 0 [sigpage]
>> Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp
>> 00000000 00:00 0 [vectors]
>>
>> Which go away if I setenforce 0. :(
>>
>> myservice_policy.te has:
>>
>>
>> module myservice_policy 1.0;
>>
>> require {
>> type dovecot_t;
>> type mysqld_etc_t;
>> type mysqld_t;
>> class unix_stream_socket connectto;
>> class file { getattr open read };
>> class dir read;
>> }
>>
>> #============= dovecot_t ==============
>> allow dovecot_t mysqld_etc_t:dir read;
>> allow dovecot_t mysqld_etc_t:file { getattr open read };
>>
>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
>> #!!!! This avc can be allowed using the boolean
>> 'daemons_enable_cluster_mode'
>> allow dovecot_t mysqld_t:unix_stream_socket connectto;
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> Arm-dev mailing list
>> Arm-dev at centos.org
>> https://lists.centos.org/mailman/listinfo/arm-dev
>
> _______________________________________________
> Arm-dev mailing list
> Arm-dev at centos.org
> https://lists.centos.org/mailman/listinfo/arm-dev