[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Wed Apr 26 16:27:38 UTC 2017
Gordon Messmer <gordon.messmer at gmail.com>

On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
> But the policy generates errors.  I will have to submit a bug report, 
> it seems 


A bug report would probably be helpful.

I'm looking back at the message you wrote describing errors in 
ld-2.17.so.  I think what's happening is that the policy on your system 
includes a silent rule that somehow breaks your system. You'll need to 
turn on debugging (logging the otherwise silent AVCs) to figure this 
out, in order to provide information that the maintainers can use to 
actually fix the problem.

So, similar to the previous process:

1: semodule -DB
2: setenforce permissive
3: tail -f /var/log/audit/audit.log | grep AVC
4: use the service, exercise each function that's constrained by the 
existing policy
5: copy and paste the output from the terminal used for #2 into 
"audit2allow -M <modulename>"
6: setenforce enforcing
7: semodule -B

You'll want to do this with your custom policy installed.  In the 
terminal that's following audit.log, you should now see AVCs logged that 
you didn't before.  Please send them to the list.

If you're only interested in resolving your problem, it should be 
sufficient to build one new module with the AVCs logged here.  If you 
want to produce a useful bug report and fix the problem for the future, 
for everyone, you need to first get back into enforcing mode and THEN 
build a new module with each individual AVC, installing each one and 
then testing dovecot, until you resolve the problem, and then removing 
all of the other new modules until you confirm that you've found one (or 
a minimal combination) of rules that is causing dovecot to crash and log 
a backtrace.