[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Wed Apr 26 16:32:04 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>

Thanks for the advice.  Will see what I can get done this evening.

On 04/26/2017 06:27 PM, Gordon Messmer wrote:
> On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
>> But the policy generates errors.  I will have to submit a bug report, 
>> it seems 
>
>
> A bug report would probably be helpful.
>
> I'm looking back at the message you wrote describing errors in 
> ld-2.17.so.  I think what's happening is that the policy on your 
> system includes a silent rule that somehow breaks your system. You'll 
> need to turn on debugging (logging the otherwise silent AVCs) to 
> figure this out, in order to provide information that the maintainers 
> can use to actually fix the problem.
>
> So, similar to the previous process:
>
> 1: semodule -DB
> 2: setenforce permissive
> 3: tail -f /var/log/audit/audit.log | grep AVC
> 4: use the service, exercise each function that's constrained by the 
> existing policy
> 5: copy and paste the output from the terminal used for #2 into 
> "audit2allow -M <modulename>"
> 6: setenforce enforcing
> 7: semodule -B
>
> You'll want to do this with your custom policy installed.  In the 
> terminal that's following audit.log, you should now see AVCs logged 
> that you didn't before.  Please send them to the list.
>
> If you're only interested in resolving your problem, it should be 
> sufficient to build one new module with the AVCs logged here.  If you 
> want to produce a useful bug report and fix the problem for the 
> future, for everyone, you need to first get back into enforcing mode 
> and THEN build a new module with each individual AVC, installing each 
> one and then testing dovecot, until you resolve the problem, and then 
> removing all of the other new modules until you confirm that you've 
> found one (or a minimal combination) of rules that is causing dovecot 
> to crash and log a backtrace.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>