[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Tue Apr 25 09:19:15 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>


On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
> Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
>> On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
>>> Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
>>>> Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I
>>>> pretty much just use commands and not build policies.  So I need some
>>>> more information here.
>>>>
>>>>    From what you provided below, how do I determine what is currently in
>>>> place and how do I add your stuff (changing postgresql with mysql, nat.)
>>>>
>>>> thanks
>>> Quick’n’(really) dirty SELinux howto:
>>> 1) Run the service. fails due to missing selinux policy.
>>> 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
>>> myservice_policy
>> Do you really mean 'service_pattern', or is this a placeholder for
>> something like mysql?
>>
>> As I get 'Nothing to do'
> placeholder which changes according to your needs.
I just made it worst.  I put in mysql for myservice_policy, got a /pp 
and did:

semodule -i myservice_policy.pp


Now I get real errors like:

Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp 
00000000 08:03 6076       /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 
00000000 00:00 0
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 
00000000 00:00 0
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p 
0001e000 08:03 6076       /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p 
0001f000 08:03 6076       /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 
00000000 00:00 0          [stack]
Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 
00000000 00:00 0          [sigpage]
Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 
00000000 00:00 0          [vectors]

Which go away if I setenforce 0.  :(

myservice_policy.te has:


module myservice_policy 1.0;

require {
     type dovecot_t;
     type mysqld_etc_t;
     type mysqld_t;
     class unix_stream_socket connectto;
     class file { getattr open read };
     class dir read;
}

#============= dovecot_t ==============
allow dovecot_t mysqld_etc_t:dir read;
allow dovecot_t mysqld_etc_t:file { getattr open read };

#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
#!!!! This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'
allow dovecot_t mysqld_t:unix_stream_socket connectto;