Robert Moskowitz
2017-Apr-25 22:25 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 06:45 PM, Gordon Messmer wrote:> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote: >> Quick?n?(really) dirty SELinux howto: > > > Alternate process: > > 1: setenforce permissive > 2: tail -f /var/log/audit/audit.log | grep AVC > 3: use the service, exercise each function that's constrained by the > existing policy > 4: copy and paste the output from the terminal used for #2 into > "audit2allow -M <modulename>" > 5: setenforce enforcing > > This process is less iterative, which can save a *lot* of time > building some policies.This made the same content as before that caused problems: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #============= dovecot_t =============allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; What do these 3 comments mean? I don't think I want to restorecon for a socket: # ls -Z /var/lib/mysql -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log.00000001 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log_control -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ibdata1 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile0 -rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile1 drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 performance_schema drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 postfix drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 roundcubemail What does the 3rd comment mean? thanks
Gordon Messmer
2017-Apr-26 02:22 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 03:25 PM, Robert Moskowitz wrote:> This made the same content as before that caused problems:I still don't understand, exactly. Are you seeing *new* problems after installing a policy? What are the problems?> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. > #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock > #!!!! This avc can be allowed using the boolean > 'daemons_enable_cluster_mode' > allow dovecot_t mysqld_t:unix_stream_socket connectto; > > What do these 3 comments mean?I'm not sure about the first two. The context you see is the same I see on the one system where I run mysqld. Running restorecon doesn't change that context. As for the latter, it sounds like you should be able to remove your custom policy and "setsebool -P daemons_enable_cluster_mode 1" to allow dovecot to connect to mysql.
Robert Moskowitz
2017-Apr-26 05:29 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 04:22 AM, Gordon Messmer wrote:> On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >> This made the same content as before that caused problems: > > I still don't understand, exactly. Are you seeing *new* problems > after installing a policy? What are the problems? > >> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. >> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >> #!!!! This avc can be allowed using the boolean >> 'daemons_enable_cluster_mode' >> allow dovecot_t mysqld_t:unix_stream_socket connectto; >> >> What do these 3 comments mean? > > I'm not sure about the first two. The context you see is the same I > see on the one system where I run mysqld. Running restorecon doesn't > change that context. > > As for the latter, it sounds like you should be able to remove your > custom policy and "setsebool -P daemons_enable_cluster_mode 1" to > allow dovecot to connect to mysql.did not work. it was set off, so I turned it on and tried it out. Got the same errors: Apr 26 01:25:45 z9m9z dovecot: dict: Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: Not connected to database You would think that the mysql people would have a boolean to allow specific apps to access the socket. And document it.
Reasonably Related Threads
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
- NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql