Laurent Wandrebeck
2017-Apr-25 08:58 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit :> Thanks Laurent. You obviously know a LOT more about SELinux than I. I > pretty much just use commands and not build policies. So I need some > more information here. > > From what you provided below, how do I determine what is currently in > place and how do I add your stuff (changing postgresql with mysql, nat.) > > thanksQuick?n?(really) dirty SELinux howto: 1) Run the service. fails due to missing selinux policy. 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M myservice_policy 3) do what output says. (semodule -i myservice_policy.pp normally) 4) goto 1. That way, you?ll create and allow step by step necessary rights so your service ends up running normaly. The content I gave you is from mydovecot.te (human readable version of .pp created by audit2allow). After a quick look at audit2allow man, it looks like you can get .pp by doing: make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it?ll look after myservice_policy.te in PWD). HTH, -- Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>
Robert Moskowitz
2017-Apr-25 09:07 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:> Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit : >> Thanks Laurent. You obviously know a LOT more about SELinux than I. I >> pretty much just use commands and not build policies. So I need some >> more information here. >> >> From what you provided below, how do I determine what is currently in >> place and how do I add your stuff (changing postgresql with mysql, nat.) >> >> thanks > Quick?n?(really) dirty SELinux howto: > 1) Run the service. fails due to missing selinux policy. > 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M > myservice_policyDo you really mean 'service_pattern', or is this a placeholder for something like mysql? As I get 'Nothing to do'> 3) do what output says. (semodule -i myservice_policy.pp normally) > 4) goto 1. That way, you?ll create and allow step by step necessary > rights so your service ends up running normaly. > > The content I gave you is from mydovecot.te (human readable version > of .pp created by audit2allow). > > After a quick look at audit2allow man, it looks like you can get .pp by > doing: > make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it?ll > look after myservice_policy.te in PWD). > > HTH,
Laurent Wandrebeck
2017-Apr-25 09:12 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 ? 11:07 +0200, Robert Moskowitz a ?crit :> > On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: > > Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit : > >> Thanks Laurent. You obviously know a LOT more about SELinux than I. I > >> pretty much just use commands and not build policies. So I need some > >> more information here. > >> > >> From what you provided below, how do I determine what is currently in > >> place and how do I add your stuff (changing postgresql with mysql, nat.) > >> > >> thanks > > Quick?n?(really) dirty SELinux howto: > > 1) Run the service. fails due to missing selinux policy. > > 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M > > myservice_policy > > Do you really mean 'service_pattern', or is this a placeholder for > something like mysql? > > As I get 'Nothing to do'placeholder which changes according to your needs. -- Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>
Gordon Messmer
2017-Apr-25 16:45 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:> Quick?n?(really) dirty SELinux howto:Alternate process: 1: setenforce permissive 2: tail -f /var/log/audit/audit.log | grep AVC 3: use the service, exercise each function that's constrained by the existing policy 4: copy and paste the output from the terminal used for #2 into "audit2allow -M <modulename>" 5: setenforce enforcing This process is less iterative, which can save a *lot* of time building some policies.
Robert Moskowitz
2017-Apr-25 19:05 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 06:45 PM, Gordon Messmer wrote:> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote: >> Quick?n?(really) dirty SELinux howto: > > > Alternate process: > > 1: setenforce permissive > 2: tail -f /var/log/audit/audit.log | grep AVC > 3: use the service, exercise each function that's constrained by the > existing policy > 4: copy and paste the output from the terminal used for #2 into > "audit2allow -M <modulename>" > 5: setenforce enforcing > > This process is less iterative, which can save a *lot* of time > building some policies.How do I undo the damage the last attempt caused? I am on the road right now (Venice, IT to speak tomorrow on Identity Oriented Networking), and I left my test system running back home. To get to it is two SSH hops. The WiFi in this hotel is a pain. It times out after 1 hour and you have to do a web access. It does not understand things like IMAP and SSH...
Robert Moskowitz
2017-Apr-25 22:25 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 06:45 PM, Gordon Messmer wrote:> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote: >> Quick?n?(really) dirty SELinux howto: > > > Alternate process: > > 1: setenforce permissive > 2: tail -f /var/log/audit/audit.log | grep AVC > 3: use the service, exercise each function that's constrained by the > existing policy > 4: copy and paste the output from the terminal used for #2 into > "audit2allow -M <modulename>" > 5: setenforce enforcing > > This process is less iterative, which can save a *lot* of time > building some policies.This made the same content as before that caused problems: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #============= dovecot_t =============allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; What do these 3 comments mean? I don't think I want to restorecon for a socket: # ls -Z /var/lib/mysql -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log.00000001 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log_control -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ibdata1 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile0 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile1 drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 performance_schema drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 postfix drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 roundcubemail What does the 3rd comment mean? thanks
Reasonably Related Threads
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- SELinux policy to allow Dovecot to connect to Mysql