[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Robert Moskowitz
rgm at htt-consult.com
Wed Apr 26 16:32:04 UTC 2017
Thanks for the advice. Will see what I can get done this evening.
On 04/26/2017 06:27 PM, Gordon Messmer wrote:
> On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
>> But the policy generates errors. I will have to submit a bug report,
>> it seems
>
>
> A bug report would probably be helpful.
>
> I'm looking back at the message you wrote describing errors in
> ld-2.17.so. I think what's happening is that the policy on your
> system includes a silent rule that somehow breaks your system. You'll
> need to turn on debugging (logging the otherwise silent AVCs) to
> figure this out, in order to provide information that the maintainers
> can use to actually fix the problem.
>
> So, similar to the previous process:
>
> 1: semodule -DB
> 2: setenforce permissive
> 3: tail -f /var/log/audit/audit.log | grep AVC
> 4: use the service, exercise each function that's constrained by the
> existing policy
> 5: copy and paste the output from the terminal used for #2 into
> "audit2allow -M <modulename>"
> 6: setenforce enforcing
> 7: semodule -B
>
> You'll want to do this with your custom policy installed. In the
> terminal that's following audit.log, you should now see AVCs logged
> that you didn't before. Please send them to the list.
>
> If you're only interested in resolving your problem, it should be
> sufficient to build one new module with the AVCs logged here. If you
> want to produce a useful bug report and fix the problem for the
> future, for everyone, you need to first get back into enforcing mode
> and THEN build a new module with each individual AVC, installing each
> one and then testing dovecot, until you resolve the problem, and then
> removing all of the other new modules until you confirm that you've
> found one (or a minimal combination) of rules that is causing dovecot
> to crash and log a backtrace.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list