CentOS - Apr 2017 - NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

On 04/25/2017 06:45 PM, Gordon Messmer wrote:
> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:
>> Quick?n?(really) dirty SELinux howto:
>
>
> Alternate process:
>
> 1: setenforce permissive
> 2: tail -f /var/log/audit/audit.log | grep AVC
> 3: use the service, exercise each function that's constrained by the 
> existing policy
> 4: copy and paste the output from the terminal used for #2 into 
> "audit2allow -M <modulename>"
> 5: setenforce enforcing
>
> This process is less iterative, which can save a *lot* of time 
> building some policies.
How do I undo the damage the last attempt caused?

I am on the road right now (Venice, IT to speak tomorrow on Identity 
Oriented Networking), and I left my test system running back home. To 
get to it is two SSH hops.  The WiFi in this hotel is a pain.  It times 
out after 1 hour and you have to do a web access.  It does not 
understand things like IMAP and SSH...

On 04/25/2017 12:05 PM, Robert Moskowitz wrote:
>
> How do I undo the damage the last attempt caused? 
I'm not sure what damage you mean.

If you installed a custom selinux module already and want to remove it, 
look at the files in /etc/selinux/targeted/modules/active/modules/.  
Those are the modules you've installed.  Use "semodule -r
<modulename>"
to remove the ones you don't need.

On 04/25/2017 09:34 PM, Gordon Messmer wrote:
> On 04/25/2017 12:05 PM, Robert Moskowitz wrote:
>>
>> How do I undo the damage the last attempt caused? 
>
> I'm not sure what damage you mean.
>
> If you installed a custom selinux module already and want to remove 
> it, look at the files in /etc/selinux/targeted/modules/active/modules/.
Nothing there.  But I found entries with the same name I installed under

/etc/selinux/targeted/active/modules/400
> Those are the modules you've installed.  Use "semodule -r 
> <modulename>" to remove the ones you don't need.
So I tried this and it failed:

# semodule -r myservice_policy.pp
libsemanage.semanage_direct_remove_key: Unable to remove module 
myservice_policy.pp at priority 400. (No such file or directory).
semodule:  Failed!

But it is there:

# ls /etc/selinux/targeted/active/modules/400/ -ls
total 4
4 drwx------. 2 root root 4096 Apr 25 05:10 myservice_policy

# ls /etc/selinux/targeted/active/modules/400/myservice_policy/ -ls
total 12
4 -rw-r--r--. 1 root root 177 Apr 25 05:10 cil
4 -rw-r--r--. 1 root root 325 Apr 25 05:10 hll
4 -rw-r--r--. 1 root root   2 Apr 25 05:09 lang_ext

Do I simply delete these files?

On 04/25/2017 09:34 PM, Gordon Messmer wrote:
> On 04/25/2017 12:05 PM, Robert Moskowitz wrote:
>>
>> How do I undo the damage the last attempt caused? 
>
> I'm not sure what damage you mean.
>
> If you installed a custom selinux module already and want to remove 
> it, look at the files in 
> /etc/selinux/targeted/modules/active/modules/.  Those are the modules 
> you've installed.  Use "semodule -r <modulename>" to
remove the ones
> you don't need.
OK.  Got the old stuff removed.  I was including the .pp in the 
<modulename>.  Left that off and the remove worked.

Now to try your instructions,