[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Robert Moskowitz
rgm at htt-consult.com
Fri Apr 28 07:06:09 UTC 2017
Gordon,
Thank you for your help on this. Still not working...
On 04/26/2017 06:27 PM, Gordon Messmer wrote:
> On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
>> But the policy generates errors. I will have to submit a bug report,
>> it seems
>
>
> A bug report would probably be helpful.
>
> I'm looking back at the message you wrote describing errors in
> ld-2.17.so. I think what's happening is that the policy on your
> system includes a silent rule that somehow breaks your system. You'll
> need to turn on debugging (logging the otherwise silent AVCs) to
> figure this out, in order to provide information that the maintainers
> can use to actually fix the problem.
>
> So, similar to the previous process:
>
> 1: semodule -DB
> 2: setenforce permissive
> 3: tail -f /var/log/audit/audit.log | grep AVC
> 4: use the service, exercise each function that's constrained by the
> existing policy
> 5: copy and paste the output from the terminal used for #2 into
> "audit2allow -M <modulename>"
> 6: setenforce enforcing
> 7: semodule -B
>
> You'll want to do this with your custom policy installed. In the
> terminal that's following audit.log, you should now see AVCs logged
> that you didn't before. Please send them to the list.
>
> If you're only interested in resolving your problem, it should be
> sufficient to build one new module with the AVCs logged here. If you
> want to produce a useful bug report and fix the problem for the
> future, for everyone, you need to first get back into enforcing mode
> and THEN build a new module with each individual AVC, installing each
> one and then testing dovecot, until you resolve the problem, and then
> removing all of the other new modules until you confirm that you've
> found one (or a minimal combination) of rules that is causing dovecot
> to crash and log a backtrace.
Here are the messages I got:
type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh }
for pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.041:49205): avc: denied { siginh } for
pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.041:49205): avc: denied { noatsecure }
for pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc: denied { rlimitinh }
for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc: denied { siginh } for
pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc: denied { noatsecure }
for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc: denied { rlimitinh }
for pid=3056 comm="smtpd"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc: denied { siginh } for
pid=3056 comm="smtpd" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc: denied { noatsecure }
for pid=3056 comm="smtpd"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc: denied { rlimitinh }
for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc: denied { siginh } for
pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc: denied { noatsecure }
for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc: denied { rlimitinh }
for pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc: denied { siginh } for
pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc: denied { noatsecure }
for pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.073:49211): avc: denied { rlimitinh }
for pid=3064 comm="deliver"
scontext=system_u:system_r:postfix_pipe_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.073:49211): avc: denied { siginh } for
pid=3064 comm="deliver" scontext=system_u:system_r:postfix_pipe_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.073:49211): avc: denied { noatsecure }
for pid=3064 comm="deliver"
scontext=system_u:system_r:postfix_pipe_t:s0
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.724:49212): avc: denied { open } for
pid=3068 comm="dict" path="/etc/my.cnf.d" dev="sda3" ino=12779
scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir permissive=1
type=USER_AVC msg=audit(1493361722.244:49216): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: received setenforce notice (enforcing=0)
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
I made the policy, applied it, and set my standard sendmail test:
sendmail -i testit3 at test.htt-consult.com <
/usr/share/doc/amavisd-new-2.10.1/test-messages/README
It failed accessing mysql with the following maillog messages:
Apr 28 02:55:11 z9m9z postfix/pickup[1554]: 8A0124CDA: uid=0 from=<root>
Apr 28 02:55:11 z9m9z postfix/cleanup[3354]: 8A0124CDA:
message-id=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>
Apr 28 02:55:11 z9m9z postfix/qmgr[6166]: 8A0124CDA:
from=<root at z9m9z.test.htt-consult.com>, size=1424, nrcpt=1 (queue active)
Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) NOTICE: reconnecting in
response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL
server has gone away at (eval 129) line 172.
Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) LMTP [127.0.0.1]:10024
/var/spool/amavisd/tmp/amavis-20170427T030938-07341-6TygUJMr:
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>
SIZE=1424 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by
localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port
10024) with LMTP for <testit3 at test.htt-consult.com>; Fri, 28 Apr 2017
02:55:11 -0400 (EDT)
Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) Checking: A2vWsL1r3nYT
[127.0.0.1] <root at z9m9z.test.htt-consult.com> ->
<testit3 at test.htt-consult.com>
Apr 28 02:55:13 z9m9z postfix/smtpd[3363]: connect from localhost[127.0.0.1]
Apr 28 02:55:14 z9m9z postfix/smtpd[3363]: 564C049E2:
client=localhost[127.0.0.1], orig_client=unknown[127.0.0.1]
Apr 28 02:55:14 z9m9z postfix/cleanup[3354]: 564C049E2:
message-id=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>
Apr 28 02:55:14 z9m9z postfix/qmgr[6166]: 564C049E2:
from=<root at z9m9z.test.htt-consult.com>, size=2136, nrcpt=1 (queue active)
Apr 28 02:55:14 z9m9z postfix/smtpd[3363]: disconnect from
localhost[127.0.0.1]
Apr 28 02:55:14 z9m9z amavis[7341]: (07341-17) A2vWsL1r3nYT FWD from
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>,
BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 564C049E2
Apr 28 02:55:14 z9m9z amavis[7341]: (07341-17) Passed CLEAN
{RelayedInbound}, [127.0.0.1] <root at z9m9z.test.htt-consult.com> ->
<testit3 at test.htt-consult.com>, Message-ID:
<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>, mail_id:
A2vWsL1r3nYT, Hits: 2.973, size: 1424, queued_as: 564C049E2, 2645 ms
Apr 28 02:55:14 z9m9z postfix/lmtp[3359]: 8A0124CDA:
to=<testit3 at test.htt-consult.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=3.3, delays=0.47/0.11/0.03/2.7, dsn=2.0.0, status=sent (250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 564C049E2)
Apr 28 02:55:14 z9m9z postfix/qmgr[6166]: 8A0124CDA: removed
Apr 28 02:55:15 z9m9z dovecot: dict: Error:
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix):
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): Error:
Internal quota calculation error
Apr 28 02:55:15 z9m9z dovecot: dict: Error:
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix):
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
Apr 28 02:55:15 z9m9z dovecot: dict: Error: dict sql lookup failed: Not
connected to database
Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): Error:
Internal quota calculation error
Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): sieve:
msgid=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>: stored mail
into mailbox 'INBOX'
Apr 28 02:55:15 z9m9z postfix/pipe[3370]: 564C049E2:
to=<testit3 at test.htt-consult.com>, relay=dovecot, delay=0.9,
delays=0.14/0.15/0/0.62, dsn=2.0.0, status=sent (delivered via dovecot
service)
Apr 28 02:55:15 z9m9z postfix/qmgr[6166]: 564C049E2: removed
I set SELinux to permissive and it works:
Apr 28 02:57:53 z9m9z postfix/pickup[1554]: DF38F4CDA: uid=0 from=<root>
Apr 28 02:57:54 z9m9z postfix/cleanup[3419]: DF38F4CDA:
message-id=<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>
Apr 28 02:57:54 z9m9z postfix/qmgr[6166]: DF38F4CDA:
from=<root at z9m9z.test.htt-consult.com>, size=1424, nrcpt=1 (queue active)
Apr 28 02:57:54 z9m9z amavis[7342]: (07342-17) LMTP [127.0.0.1]:10024
/var/spool/amavisd/tmp/amavis-20170426T190541-07342-ifG0CeGq:
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>
SIZE=1424 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by
localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port
10024) with LMTP for <testit3 at test.htt-consult.com>; Fri, 28 Apr 2017
02:57:54 -0400 (EDT)
Apr 28 02:57:54 z9m9z amavis[7342]: (07342-17) Checking: wWh0cdDyySoD
[127.0.0.1] <root at z9m9z.test.htt-consult.com> ->
<testit3 at test.htt-consult.com>
Apr 28 02:57:55 z9m9z postfix/smtpd[3427]: connect from localhost[127.0.0.1]
Apr 28 02:57:56 z9m9z postfix/smtpd[3427]: 428694AC1:
client=localhost[127.0.0.1], orig_client=unknown[127.0.0.1]
Apr 28 02:57:56 z9m9z postfix/cleanup[3419]: 428694AC1:
message-id=<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>
Apr 28 02:57:56 z9m9z postfix/qmgr[6166]: 428694AC1:
from=<root at z9m9z.test.htt-consult.com>, size=2136, nrcpt=1 (queue active)
Apr 28 02:57:56 z9m9z postfix/smtpd[3427]: disconnect from
localhost[127.0.0.1]
Apr 28 02:57:56 z9m9z amavis[7342]: (07342-17) wWh0cdDyySoD FWD from
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>,
BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok:
queued as 428694AC1
Apr 28 02:57:56 z9m9z amavis[7342]: (07342-17) Passed CLEAN
{RelayedInbound}, [127.0.0.1] <root at z9m9z.test.htt-consult.com> ->
<testit3 at test.htt-consult.com>, Message-ID:
<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>, mail_id:
wWh0cdDyySoD, Hits: 2.973, size: 1424, queued_as: 428694AC1, 2232 ms
Apr 28 02:57:56 z9m9z postfix/lmtp[3424]: DF38F4CDA:
to=<testit3 at test.htt-consult.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=2.9, delays=0.47/0.11/0.03/2.3, dsn=2.0.0, status=sent (250 2.0.0
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 428694AC1)
Apr 28 02:57:56 z9m9z postfix/qmgr[6166]: DF38F4CDA: removed
So these additional policies stop all the memory errors, but still leave
me not working with SELinux.
When I get home Monday, I am going to rebuild the server. With my
Howtos, this is not so hard. It could be that with all the testing, I
dropped something in that I should not have.
If I still have this problem, then it is bug report time.
And then I will do it one AVC at a time with the policy building.
Again, thanks
More information about the CentOS
mailing list