[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Wed Apr 26 06:31:30 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>


On 04/26/2017 08:04 AM, Gordon Messmer wrote:
> On 04/25/2017 10:29 PM, Robert Moskowitz wrote:
>> did not work.  it was set off, so I turned it on and tried it out. 
>> Got the same errors:
>>
>> Apr 26 01:25:45 z9m9z dovecot: dict: Error: 
>> mysql(/var/lib/mysql/mysql.sock): Connect failed to database 
>> (postfix): Can't connect to local MySQL server through socket 
>> '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
>
> OK.  Re-install the policy, "tail -f /var/log/audit/audit.log" and 
> then try to use dovecot.  You're looking for an AVC.  What do you see?

This takes two SSH connections for testing.  No AVC.  See end for the 
messages.

>
>> You would think that the mysql people would have a boolean to allow 
>> specific apps to access the socket. 
>
> That's not how SELinux works.  The policy on mysql doesn't control 
> what clients do.  The clients have their own policies (or don't, many 
> apps run unconfined).

So many of the howtos for this kind of set up call for disabling 
SELinux.  Perhaps this is why...

Here are the messages:

type=SYSCALL msg=audit(1493187952.091:28323): arch=40000028 syscall=11 
per=800000 success=yes exit=0 a0=45388b0 a1=35ead30 a2=5264b40 a3=100 
items=0 ppid=7341 pid=11879 auid=4294967295 uid=994 gid=991 euid=994 
suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 
comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1493187952.091:28323): 
proctitle=2F7573722F62696E2F66696C650070303031
type=ANOM_ABEND msg=audit(1493187955.055:28324): auid=4294967295 uid=97 
gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11893 
comm="dict" exe="/usr/libexec/dovecot/dict" sig=6
type=USER_ACCT msg=audit(1493187961.642:28325): pid=11895 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1493187961.645:28326): pid=11895 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1493187961.653:28327): pid=11895 uid=0 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 
tty=(none) old-ses=4294967295 ses=3927 res=1
type=USER_START msg=audit(1493187961.910:28328): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1493187961.922:28329): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1493187962.135:28330): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1493187962.148:28331): pid=11895 uid=0 auid=0 
ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_close 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SELINUX_ERR msg=audit(1493188004.599:28332): 
op=security_bounded_transition seresult=denied 
oldcontext=system_u:system_r:init_t:s0 
newcontext=system_u:system_r:unconfined_service_t:s0
type=SYSCALL msg=audit(1493188004.599:28332): arch=40000028 syscall=11 
per=800000 success=yes exit=0 a0=45388b0 a1=522fe00 a2=5266cf0 a3=100 
items=0 ppid=7342 pid=11918 auid=4294967295 uid=994 gid=991 euid=994 
suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 
comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1493188004.599:28332): 
proctitle=2F7573722F62696E2F66696C650070303031
type=ANOM_ABEND msg=audit(1493188006.218:28333): auid=4294967295 uid=97 
gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11921 
comm="dict" exe="/usr/libexec/dovecot/dict" sig=6
type=USER_ACCT msg=audit(1493188021.284:28334): pid=11923 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" 
hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1493188021.289:28335): pid=11923 uid=0 
auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
type=LOGIN msg=audit(1493188021.293:28336): pid=11923 uid=0 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 
tty=(none) old-ses=4294967295 ses=3928 res=1
type=USER_START msg=audit(1493188021.528:28337): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1493188021.532:28338): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1493188021.734:28339): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1493188021.746:28340): pid=11923 uid=0 auid=0 
ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_close 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'