CentOS - Apr 2017 - NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Le mardi 25 avril 2017 ? 11:07 +0200, Robert Moskowitz a ?crit
:
> 
> On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
> > Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit :
> >> Thanks Laurent.  You obviously know a LOT more about SELinux than
I.  I
> >> pretty much just use commands and not build policies.  So I need
some
> >> more information here.
> >>
> >>   From what you provided below, how do I determine what is
currently in
> >> place and how do I add your stuff (changing postgresql with mysql,
nat.)
> >>
> >> thanks
> > Quick?n?(really) dirty SELinux howto:
> > 1) Run the service. fails due to missing selinux policy.
> > 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
> > myservice_policy
> 
> Do you really mean 'service_pattern', or is this a placeholder for 
> something like mysql?
> 
> As I get 'Nothing to do'
placeholder which changes according to your needs.
-- 
Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>

On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:
> Le mardi 25 avril 2017 ? 11:07 +0200, Robert Moskowitz a ?crit :
>> On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
>>> Le mardi 25 avril 2017 ? 10:39 +0200, Robert Moskowitz a ?crit :
>>>> Thanks Laurent.  You obviously know a LOT more about SELinux
than I.  I
>>>> pretty much just use commands and not build policies.  So I
need some
>>>> more information here.
>>>>
>>>>    From what you provided below, how do I determine what is
currently in
>>>> place and how do I add your stuff (changing postgresql with
mysql, nat.)
>>>>
>>>> thanks
>>> Quick?n?(really) dirty SELinux howto:
>>> 1) Run the service. fails due to missing selinux policy.
>>> 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
>>> myservice_policy
>> Do you really mean 'service_pattern', or is this a placeholder
for
>> something like mysql?
>>
>> As I get 'Nothing to do'
> placeholder which changes according to your needs.
I just made it worst.  I put in mysql for myservice_policy, got a /pp 
and did:

semodule -i myservice_policy.pp


Now I get real errors like:

Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc0000 r-xp 
00000000 08:03 6076       /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 
00000000 00:00 0
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 
00000000 00:00 0
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd0000 r--p 
0001e000 08:03 6076       /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd0000-b6fd1000 rw-p 
0001f000 08:03 6076       /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 
00000000 00:00 0          [stack]
Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 
00000000 00:00 0          [sigpage]
Apr 25 05:13:16 z9m9z dovecot: dict: Error: ffff0000-ffff1000 r-xp 
00000000 00:00 0          [vectors]

Which go away if I setenforce 0.  :(

myservice_policy.te has:


module myservice_policy 1.0;

require {
     type dovecot_t;
     type mysqld_etc_t;
     type mysqld_t;
     class unix_stream_socket connectto;
     class file { getattr open read };
     class dir read;
}

#============= dovecot_t =============allow dovecot_t mysqld_etc_t:dir read;
allow dovecot_t mysqld_etc_t:file { getattr open read };

#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
#!!!! This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'
allow dovecot_t mysqld_t:unix_stream_socket connectto;

Le mardi 25 avril 2017 ? 11:19 +0200, Robert Moskowitz a ?crit
:
> /usr/lib/ld-2.17.so
This file is not part of CentOS 7, nor CentOS 6 ?
-- 
Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>