[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Robert Moskowitz rgm at htt-consult.com
Fri Apr 28 07:06:09 UTC 2017 

Gordon,

Thank you for your help on this.  Still not working...

On 04/26/2017 06:27 PM, Gordon Messmer wrote:
> On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
>> But the policy generates errors.  I will have to submit a bug report, 
>> it seems 
>
>
> A bug report would probably be helpful.
>
> I'm looking back at the message you wrote describing errors in 
> ld-2.17.so.  I think what's happening is that the policy on your 
> system includes a silent rule that somehow breaks your system. You'll 
> need to turn on debugging (logging the otherwise silent AVCs) to 
> figure this out, in order to provide information that the maintainers 
> can use to actually fix the problem.
>
> So, similar to the previous process:
>
> 1: semodule -DB
> 2: setenforce permissive
> 3: tail -f /var/log/audit/audit.log | grep AVC
> 4: use the service, exercise each function that's constrained by the 
> existing policy
> 5: copy and paste the output from the terminal used for #2 into 
> "audit2allow -M <modulename>"
> 6: setenforce enforcing
> 7: semodule -B
>
> You'll want to do this with your custom policy installed.  In the 
> terminal that's following audit.log, you should now see AVCs logged 
> that you didn't before.  Please send them to the list.
>
> If you're only interested in resolving your problem, it should be 
> sufficient to build one new module with the AVCs logged here.  If you 
> want to produce a useful bug report and fix the problem for the 
> future, for everyone, you need to first get back into enforcing mode 
> and THEN build a new module with each individual AVC, installing each 
> one and then testing dovecot, until you resolve the problem, and then 
> removing all of the other new modules until you confirm that you've 
> found one (or a minimal combination) of rules that is causing dovecot 
> to crash and log a backtrace.

Here are the messages I got:

type=AVC msg=audit(1493361695.041:49205): avc:  denied  { rlimitinh } 
for  pid=3047 comm="cleanup" 
scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.041:49205): avc:  denied  { siginh } for  
pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.041:49205): avc:  denied  { noatsecure } 
for  pid=3047 comm="cleanup" 
scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc:  denied  { rlimitinh } 
for  pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc:  denied  { siginh } for  
pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc:  denied  { noatsecure } 
for  pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc:  denied  { rlimitinh } 
for  pid=3056 comm="smtpd" 
scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc:  denied  { siginh } for  
pid=3056 comm="smtpd" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc:  denied  { noatsecure } 
for  pid=3056 comm="smtpd" 
scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc:  denied  { rlimitinh } 
for  pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0 
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc:  denied  { siginh } for  
pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0 
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc:  denied  { noatsecure } 
for  pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0 
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc:  denied  { rlimitinh } 
for  pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc:  denied  { siginh } for  
pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc:  denied  { noatsecure } 
for  pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0 
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.073:49211): avc:  denied  { rlimitinh } 
for  pid=3064 comm="deliver" 
scontext=system_u:system_r:postfix_pipe_t:s0 
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.073:49211): avc:  denied  { siginh } for  
pid=3064 comm="deliver" scontext=system_u:system_r:postfix_pipe_t:s0 
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.073:49211): avc:  denied  { noatsecure } 
for  pid=3064 comm="deliver" 
scontext=system_u:system_r:postfix_pipe_t:s0 
tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361700.724:49212): avc:  denied  { open } for  
pid=3068 comm="dict" path="/etc/my.cnf.d" dev="sda3" ino=12779 
scontext=system_u:system_r:dovecot_t:s0 
tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir permissive=1
type=USER_AVC msg=audit(1493361722.244:49216): pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='avc:  received setenforce notice (enforcing=0) 
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

I made the policy, applied it, and set my standard sendmail test:

sendmail -i testit3 at test.htt-consult.com < 
/usr/share/doc/amavisd-new-2.10.1/test-messages/README

It failed accessing mysql with the following maillog messages:

Apr 28 02:55:11 z9m9z postfix/pickup[1554]: 8A0124CDA: uid=0 from=<root>
Apr 28 02:55:11 z9m9z postfix/cleanup[3354]: 8A0124CDA: 
message-id=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>
Apr 28 02:55:11 z9m9z postfix/qmgr[6166]: 8A0124CDA: 
from=<root at z9m9z.test.htt-consult.com>, size=1424, nrcpt=1 (queue active)
Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) NOTICE: reconnecting in 
response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL 
server has gone away at (eval 129) line 172.
Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) LMTP [127.0.0.1]:10024 
/var/spool/amavisd/tmp/amavis-20170427T030938-07341-6TygUJMr: 
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com> 
SIZE=1424 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by 
localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port 
10024) with LMTP for <testit3 at test.htt-consult.com>; Fri, 28 Apr 2017 
02:55:11 -0400 (EDT)
Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) Checking: A2vWsL1r3nYT 
[127.0.0.1] <root at z9m9z.test.htt-consult.com> -> 
<testit3 at test.htt-consult.com>
Apr 28 02:55:13 z9m9z postfix/smtpd[3363]: connect from localhost[127.0.0.1]
Apr 28 02:55:14 z9m9z postfix/smtpd[3363]: 564C049E2: 
client=localhost[127.0.0.1], orig_client=unknown[127.0.0.1]
Apr 28 02:55:14 z9m9z postfix/cleanup[3354]: 564C049E2: 
message-id=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>
Apr 28 02:55:14 z9m9z postfix/qmgr[6166]: 564C049E2: 
from=<root at z9m9z.test.htt-consult.com>, size=2136, nrcpt=1 (queue active)
Apr 28 02:55:14 z9m9z postfix/smtpd[3363]: disconnect from 
localhost[127.0.0.1]
Apr 28 02:55:14 z9m9z amavis[7341]: (07341-17) A2vWsL1r3nYT FWD from 
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>, 
BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: 
queued as 564C049E2
Apr 28 02:55:14 z9m9z amavis[7341]: (07341-17) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] <root at z9m9z.test.htt-consult.com> -> 
<testit3 at test.htt-consult.com>, Message-ID: 
<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>, mail_id: 
A2vWsL1r3nYT, Hits: 2.973, size: 1424, queued_as: 564C049E2, 2645 ms
Apr 28 02:55:14 z9m9z postfix/lmtp[3359]: 8A0124CDA: 
to=<testit3 at test.htt-consult.com>, relay=127.0.0.1[127.0.0.1]:10024, 
delay=3.3, delays=0.47/0.11/0.03/2.7, dsn=2.0.0, status=sent (250 2.0.0 
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 564C049E2)
Apr 28 02:55:14 z9m9z postfix/qmgr[6166]: 8A0124CDA: removed
Apr 28 02:55:15 z9m9z dovecot: dict: Error: 
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): 
Can't connect to local MySQL server through socket 
'/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): Error: 
Internal quota calculation error
Apr 28 02:55:15 z9m9z dovecot: dict: Error: 
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): 
Can't connect to local MySQL server through socket 
'/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
Apr 28 02:55:15 z9m9z dovecot: dict: Error: dict sql lookup failed: Not 
connected to database
Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): Error: 
Internal quota calculation error
Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): sieve: 
msgid=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>: stored mail 
into mailbox 'INBOX'
Apr 28 02:55:15 z9m9z postfix/pipe[3370]: 564C049E2: 
to=<testit3 at test.htt-consult.com>, relay=dovecot, delay=0.9, 
delays=0.14/0.15/0/0.62, dsn=2.0.0, status=sent (delivered via dovecot 
service)
Apr 28 02:55:15 z9m9z postfix/qmgr[6166]: 564C049E2: removed

I set SELinux to permissive and it works:

Apr 28 02:57:53 z9m9z postfix/pickup[1554]: DF38F4CDA: uid=0 from=<root>
Apr 28 02:57:54 z9m9z postfix/cleanup[3419]: DF38F4CDA: 
message-id=<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>
Apr 28 02:57:54 z9m9z postfix/qmgr[6166]: DF38F4CDA: 
from=<root at z9m9z.test.htt-consult.com>, size=1424, nrcpt=1 (queue active)
Apr 28 02:57:54 z9m9z amavis[7342]: (07342-17) LMTP [127.0.0.1]:10024 
/var/spool/amavisd/tmp/amavis-20170426T190541-07342-ifG0CeGq: 
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com> 
SIZE=1424 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by 
localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port 
10024) with LMTP for <testit3 at test.htt-consult.com>; Fri, 28 Apr 2017 
02:57:54 -0400 (EDT)
Apr 28 02:57:54 z9m9z amavis[7342]: (07342-17) Checking: wWh0cdDyySoD 
[127.0.0.1] <root at z9m9z.test.htt-consult.com> -> 
<testit3 at test.htt-consult.com>
Apr 28 02:57:55 z9m9z postfix/smtpd[3427]: connect from localhost[127.0.0.1]
Apr 28 02:57:56 z9m9z postfix/smtpd[3427]: 428694AC1: 
client=localhost[127.0.0.1], orig_client=unknown[127.0.0.1]
Apr 28 02:57:56 z9m9z postfix/cleanup[3419]: 428694AC1: 
message-id=<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>
Apr 28 02:57:56 z9m9z postfix/qmgr[6166]: 428694AC1: 
from=<root at z9m9z.test.htt-consult.com>, size=2136, nrcpt=1 (queue active)
Apr 28 02:57:56 z9m9z postfix/smtpd[3427]: disconnect from 
localhost[127.0.0.1]
Apr 28 02:57:56 z9m9z amavis[7342]: (07342-17) wWh0cdDyySoD FWD from 
<root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>, 
BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: 
queued as 428694AC1
Apr 28 02:57:56 z9m9z amavis[7342]: (07342-17) Passed CLEAN 
{RelayedInbound}, [127.0.0.1] <root at z9m9z.test.htt-consult.com> -> 
<testit3 at test.htt-consult.com>, Message-ID: 
<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>, mail_id: 
wWh0cdDyySoD, Hits: 2.973, size: 1424, queued_as: 428694AC1, 2232 ms
Apr 28 02:57:56 z9m9z postfix/lmtp[3424]: DF38F4CDA: 
to=<testit3 at test.htt-consult.com>, relay=127.0.0.1[127.0.0.1]:10024, 
delay=2.9, delays=0.47/0.11/0.03/2.3, dsn=2.0.0, status=sent (250 2.0.0 
from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 428694AC1)
Apr 28 02:57:56 z9m9z postfix/qmgr[6166]: DF38F4CDA: removed

So these additional policies stop all the memory errors, but still leave 
me not working with SELinux.

When I get home Monday, I am going to rebuild the server.  With my 
Howtos, this is not so hard.  It could be that with all the testing, I 
dropped something in that I should not have.

If I still have this problem, then it is bug report time.

And then I will do it one AVC at a time with the policy building.

Again, thanks

More information about the CentOS mailing list