CentOS - Apr 2017 - NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Le mardi 25 avril 2017 ? 10:04 +0200, Robert Moskowitz a ?crit
:
> I thought I had this fixed, but I do not.  I was away from this problem 
> working on other matters, and came back (after a reboot) and it is still 
> there, so I suspect when I thought I had it 'fixed' I was running
with
> setenforce 0 from another problem (that is fixed).
> 
> So anyone know how to get dovecot dict connecting to mysql when 
> enforcing?  Googling is not finding any real help.
Hi,

I?ve got some ? tweaking ? here (using postgresql, obviously) so that
dovecot runs properly with SELinux enabled,

HTH,
Laurent.

module mydovecot 1.0;

require {
        type dovecot_auth_t;
        type postgresql_port_t;
        type dovecot_t;
        type var_t;
        type postfix_virtual_tmp_t;
        class tcp_socket name_connect;
        class file { rename read lock create write getattr link unlink
open append };
        class dir { read write create add_name remove_name };
}

#============= dovecot_auth_t =============
#!!!! This avc is allowed in the current policy
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;

#============= dovecot_t =============
#!!!! This avc is allowed in the current policy
allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
link };
allow dovecot_t var_t:dir create;

#!!!! This avc is allowed in the current policy
allow dovecot_t var_t:dir { read write add_name remove_name };

#!!!! This avc is allowed in the current policy
allow dovecot_t var_t:file { rename read lock create write getattr link
unlink open append };

-- 
Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>

Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I 
pretty much just use commands and not build policies.  So I need some 
more information here.

 From what you provided below, how do I determine what is currently in 
place and how do I add your stuff (changing postgresql with mysql, nat.)

thanks

On 04/25/2017 10:26 AM, Laurent Wandrebeck wrote:
> Le mardi 25 avril 2017 ? 10:04 +0200, Robert Moskowitz a ?crit :
>> I thought I had this fixed, but I do not.  I was away from this problem
>> working on other matters, and came back (after a reboot) and it is
still
>> there, so I suspect when I thought I had it 'fixed' I was
running with
>> setenforce 0 from another problem (that is fixed).
>>
>> So anyone know how to get dovecot dict connecting to mysql when
>> enforcing?  Googling is not finding any real help.
> Hi,
>
> I?ve got some ? tweaking ? here (using postgresql, obviously) so that
> dovecot runs properly with SELinux enabled,
>
> HTH,
> Laurent.
>
> module mydovecot 1.0;
>
> require {
>          type dovecot_auth_t;
>          type postgresql_port_t;
>          type dovecot_t;
>          type var_t;
>          type postfix_virtual_tmp_t;
>          class tcp_socket name_connect;
>          class file { rename read lock create write getattr link unlink
> open append };
>          class dir { read write create add_name remove_name };
> }
>
> #============= dovecot_auth_t =============>
> #!!!! This avc is allowed in the current policy
> allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;
>
> #============= dovecot_t =============>
> #!!!! This avc is allowed in the current policy
> allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
> link };
> allow dovecot_t var_t:dir create;
>
> #!!!! This avc is allowed in the current policy
> allow dovecot_t var_t:dir { read write add_name remove_name };
>
> #!!!! This avc is allowed in the current policy
> allow dovecot_t var_t:file { rename read lock create write getattr link
> unlink open append };
>

Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit
:
> Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I 
> pretty much just use commands and not build policies.  So I need some 
> more information here.
> 
>  From what you provided below, how do I determine what is currently in 
> place and how do I add your stuff (changing postgresql with mysql, nat.)
> 
> thanks
Quick?n?(really) dirty SELinux howto:
1) Run the service. fails due to missing selinux policy.
2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy
3) do what output says. (semodule -i myservice_policy.pp normally)
4) goto 1. That way, you?ll create and allow step by step necessary
rights so your service ends up running normaly.

The content I gave you is from mydovecot.te (human readable version
of .pp created by audit2allow).

After a quick look at audit2allow man, it looks like you can get .pp by
doing:
make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it?ll
look after myservice_policy.te in PWD).

HTH,
-- 
Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>