Robert Moskowitz
2017-Apr-26 05:29 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 04:22 AM, Gordon Messmer wrote:> On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >> This made the same content as before that caused problems: > > I still don't understand, exactly. Are you seeing *new* problems > after installing a policy? What are the problems? > >> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. >> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >> #!!!! This avc can be allowed using the boolean >> 'daemons_enable_cluster_mode' >> allow dovecot_t mysqld_t:unix_stream_socket connectto; >> >> What do these 3 comments mean? > > I'm not sure about the first two. The context you see is the same I > see on the one system where I run mysqld. Running restorecon doesn't > change that context. > > As for the latter, it sounds like you should be able to remove your > custom policy and "setsebool -P daemons_enable_cluster_mode 1" to > allow dovecot to connect to mysql.did not work. it was set off, so I turned it on and tried it out. Got the same errors: Apr 26 01:25:45 z9m9z dovecot: dict: Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: Not connected to database You would think that the mysql people would have a boolean to allow specific apps to access the socket. And document it.
Robert Moskowitz
2017-Apr-26 05:50 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 07:29 AM, Robert Moskowitz wrote:> > > On 04/26/2017 04:22 AM, Gordon Messmer wrote: >> On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >>> This made the same content as before that caused problems: >> >> I still don't understand, exactly. Are you seeing *new* problems >> after installing a policy? What are the problems? >> >>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your >>> system. >>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >>> #!!!! This avc can be allowed using the boolean >>> 'daemons_enable_cluster_mode' >>> allow dovecot_t mysqld_t:unix_stream_socket connectto; >>> >>> What do these 3 comments mean? >> >> I'm not sure about the first two. The context you see is the same I >> see on the one system where I run mysqld. Running restorecon doesn't >> change that context. >> >> As for the latter, it sounds like you should be able to remove your >> custom policy and "setsebool -P daemons_enable_cluster_mode 1" to >> allow dovecot to connect to mysql. > > did not work. it was set off, so I turned it on and tried it out. Got > the same errors: > > Apr 26 01:25:45 z9m9z dovecot: dict: Error: > mysql(/var/lib/mysql/mysql.sock): Connect failed to database > (postfix): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry > Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: > Not connected to database > > You would think that the mysql people would have a boolean to allow > specific apps to access the socket. > > And document it.mysql.org is really NOT helpful. They say: If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process. They only policy available is for allowing http to access mysql.
Gordon Messmer
2017-Apr-26 06:04 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 10:29 PM, Robert Moskowitz wrote:> did not work. it was set off, so I turned it on and tried it out. Got > the same errors: > > Apr 26 01:25:45 z9m9z dovecot: dict: Error: > mysql(/var/lib/mysql/mysql.sock): Connect failed to database > (postfix): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retryOK. Re-install the policy, "tail -f /var/log/audit/audit.log" and then try to use dovecot. You're looking for an AVC. What do you see?> You would think that the mysql people would have a boolean to allow > specific apps to access the socket.That's not how SELinux works. The policy on mysql doesn't control what clients do. The clients have their own policies (or don't, many apps run unconfined).
Rob Kampen
2017-Apr-26 06:21 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 26/04/17 17:29, Robert Moskowitz wrote:> > > On 04/26/2017 04:22 AM, Gordon Messmer wrote: >> On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >>> This made the same content as before that caused problems: >> >> I still don't understand, exactly. Are you seeing *new* problems >> after installing a policy? What are the problems? >> >>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your >>> system. >>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >>> #!!!! This avc can be allowed using the boolean >>> 'daemons_enable_cluster_mode' >>> allow dovecot_t mysqld_t:unix_stream_socket connectto; >>> >>> What do these 3 comments mean? >> >> I'm not sure about the first two. The context you see is the same I >> see on the one system where I run mysqld. Running restorecon doesn't >> change that context. >> >> As for the latter, it sounds like you should be able to remove your >> custom policy and "setsebool -P daemons_enable_cluster_mode 1" to >> allow dovecot to connect to mysql. > > did not work. it was set off, so I turned it on and tried it out. Got > the same errors: > > Apr 26 01:25:45 z9m9z dovecot: dict: Error: > mysql(/var/lib/mysql/mysql.sock): Connect failed to database > (postfix): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry > Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: > Not connected to database >how have you specified your mysql server host? as localhost, 127.0.0.1 or as the hosts IP address? In my experience it needs to be localhost or 127.0.0.1 and these are also defined in /etc/hosts hth> You would think that the mysql people would have a boolean to allow > specific apps to access the socket. > > And document it. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Robert Moskowitz
2017-Apr-26 06:31 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 08:04 AM, Gordon Messmer wrote:> On 04/25/2017 10:29 PM, Robert Moskowitz wrote: >> did not work. it was set off, so I turned it on and tried it out. >> Got the same errors: >> >> Apr 26 01:25:45 z9m9z dovecot: dict: Error: >> mysql(/var/lib/mysql/mysql.sock): Connect failed to database >> (postfix): Can't connect to local MySQL server through socket >> '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry > > OK. Re-install the policy, "tail -f /var/log/audit/audit.log" and > then try to use dovecot. You're looking for an AVC. What do you see?This takes two SSH connections for testing. No AVC. See end for the messages.> >> You would think that the mysql people would have a boolean to allow >> specific apps to access the socket. > > That's not how SELinux works. The policy on mysql doesn't control > what clients do. The clients have their own policies (or don't, many > apps run unconfined).So many of the howtos for this kind of set up call for disabling SELinux. Perhaps this is why... Here are the messages: type=SYSCALL msg=audit(1493187952.091:28323): arch=40000028 syscall=11 per=800000 success=yes exit=0 a0=45388b0 a1=35ead30 a2=5264b40 a3=100 items=0 ppid=7341 pid=11879 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null) type=PROCTITLE msg=audit(1493187952.091:28323): proctitle=2F7573722F62696E2F66696C650070303031 type=ANOM_ABEND msg=audit(1493187955.055:28324): auid=4294967295 uid=97 gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11893 comm="dict" exe="/usr/libexec/dovecot/dict" sig=6 type=USER_ACCT msg=audit(1493187961.642:28325): pid=11895 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1493187961.645:28326): pid=11895 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1493187961.653:28327): pid=11895 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=3927 res=1 type=USER_START msg=audit(1493187961.910:28328): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1493187961.922:28329): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1493187962.135:28330): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1493187962.148:28331): pid=11895 uid=0 auid=0 ses=3927 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SELINUX_ERR msg=audit(1493188004.599:28332): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:unconfined_service_t:s0 type=SYSCALL msg=audit(1493188004.599:28332): arch=40000028 syscall=11 per=800000 success=yes exit=0 a0=45388b0 a1=522fe00 a2=5266cf0 a3=100 items=0 ppid=7342 pid=11918 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="file" exe="/usr/bin/file" subj=system_u:system_r:init_t:s0 key=(null) type=PROCTITLE msg=audit(1493188004.599:28332): proctitle=2F7573722F62696E2F66696C650070303031 type=ANOM_ABEND msg=audit(1493188006.218:28333): auid=4294967295 uid=97 gid=97 ses=4294967295 subj=system_u:system_r:dovecot_t:s0 pid=11921 comm="dict" exe="/usr/libexec/dovecot/dict" sig=6 type=USER_ACCT msg=audit(1493188021.284:28334): pid=11923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1493188021.289:28335): pid=11923 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1493188021.293:28336): pid=11923 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=3928 res=1 type=USER_START msg=audit(1493188021.528:28337): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1493188021.532:28338): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1493188021.734:28339): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1493188021.746:28340): pid=11923 uid=0 auid=0 ses=3928 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Robert Moskowitz
2017-Apr-26 06:32 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 08:21 AM, Rob Kampen wrote:> On 26/04/17 17:29, Robert Moskowitz wrote: >> >> >> On 04/26/2017 04:22 AM, Gordon Messmer wrote: >>> On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >>>> This made the same content as before that caused problems: >>> >>> I still don't understand, exactly. Are you seeing *new* problems >>> after installing a policy? What are the problems? >>> >>>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your >>>> system. >>>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >>>> #!!!! This avc can be allowed using the boolean >>>> 'daemons_enable_cluster_mode' >>>> allow dovecot_t mysqld_t:unix_stream_socket connectto; >>>> >>>> What do these 3 comments mean? >>> >>> I'm not sure about the first two. The context you see is the same I >>> see on the one system where I run mysqld. Running restorecon >>> doesn't change that context. >>> >>> As for the latter, it sounds like you should be able to remove your >>> custom policy and "setsebool -P daemons_enable_cluster_mode 1" to >>> allow dovecot to connect to mysql. >> >> did not work. it was set off, so I turned it on and tried it out. >> Got the same errors: >> >> Apr 26 01:25:45 z9m9z dovecot: dict: Error: >> mysql(/var/lib/mysql/mysql.sock): Connect failed to database >> (postfix): Can't connect to local MySQL server through socket >> '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry >> Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: >> Not connected to database >> > how have you specified your mysql server host? as localhost, 127.0.0.1 > or as the hosts IP address? In my experience it needs to be localhost > or 127.0.0.1 and these are also defined in /etc/hosts > hthI am specifically using socket connection. I have tried 127.0.0.1 and had problems with that too. But different.>> You would think that the mysql people would have a boolean to allow >> specific apps to access the socket. >> >> And document it. >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Phoenix, Merka
2017-Apr-26 06:55 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Robert, in regards to your Postfix and Dovecot issue with MySQL and SELinux,> Apr 26 01:25:45 z9m9z dovecot: dict: Error: > mysql(/var/lib/mysql/mysql.sock): Connect failed to database > (postfix): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry > Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: > Not connected to database >A Google search brought up this write-up of how William (a Red Hat engineer in Australia) faced this in 2011 and was able to solve the issue. His blog still has recent posts in 2017, so you might want to browse the "about page and contact him directly to discuss the post. See: http://firstyear.id.au/blog/html/2011/07/05/SELinux_for_postfix_+_dovecot.html On this post referenced above, the author has a sample SELinux policy for postfix/dovecot and mysql. While the post references an e-mail setup guide link that is no longer reachable, the policy file is still present in text. This URL: https://mgrepl.fedorapeople.org/man_selinux/Fedora18/mysqld.html has a good summary of the Booleans available for the MySQL SELinux policy For Dovecot, you will need a policy that allows the dovecot process to transition from whatever context it is currently running into the applicable context that is defined for the mysqld process (or at least some SELinux context that permits access to the socket.) Cheers! Simba Engineering
Possibly Parallel Threads
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql