Gordon Messmer
2017-Apr-26 16:27 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 12:29 AM, Robert Moskowitz wrote:> But the policy generates errors. I will have to submit a bug report, > it seemsA bug report would probably be helpful. I'm looking back at the message you wrote describing errors in ld-2.17.so. I think what's happening is that the policy on your system includes a silent rule that somehow breaks your system. You'll need to turn on debugging (logging the otherwise silent AVCs) to figure this out, in order to provide information that the maintainers can use to actually fix the problem. So, similar to the previous process: 1: semodule -DB 2: setenforce permissive 3: tail -f /var/log/audit/audit.log | grep AVC 4: use the service, exercise each function that's constrained by the existing policy 5: copy and paste the output from the terminal used for #2 into "audit2allow -M <modulename>" 6: setenforce enforcing 7: semodule -B You'll want to do this with your custom policy installed. In the terminal that's following audit.log, you should now see AVCs logged that you didn't before. Please send them to the list. If you're only interested in resolving your problem, it should be sufficient to build one new module with the AVCs logged here. If you want to produce a useful bug report and fix the problem for the future, for everyone, you need to first get back into enforcing mode and THEN build a new module with each individual AVC, installing each one and then testing dovecot, until you resolve the problem, and then removing all of the other new modules until you confirm that you've found one (or a minimal combination) of rules that is causing dovecot to crash and log a backtrace.
Robert Moskowitz
2017-Apr-26 16:32 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Thanks for the advice. Will see what I can get done this evening. On 04/26/2017 06:27 PM, Gordon Messmer wrote:> On 04/26/2017 12:29 AM, Robert Moskowitz wrote: >> But the policy generates errors. I will have to submit a bug report, >> it seems > > > A bug report would probably be helpful. > > I'm looking back at the message you wrote describing errors in > ld-2.17.so. I think what's happening is that the policy on your > system includes a silent rule that somehow breaks your system. You'll > need to turn on debugging (logging the otherwise silent AVCs) to > figure this out, in order to provide information that the maintainers > can use to actually fix the problem. > > So, similar to the previous process: > > 1: semodule -DB > 2: setenforce permissive > 3: tail -f /var/log/audit/audit.log | grep AVC > 4: use the service, exercise each function that's constrained by the > existing policy > 5: copy and paste the output from the terminal used for #2 into > "audit2allow -M <modulename>" > 6: setenforce enforcing > 7: semodule -B > > You'll want to do this with your custom policy installed. In the > terminal that's following audit.log, you should now see AVCs logged > that you didn't before. Please send them to the list. > > If you're only interested in resolving your problem, it should be > sufficient to build one new module with the AVCs logged here. If you > want to produce a useful bug report and fix the problem for the > future, for everyone, you need to first get back into enforcing mode > and THEN build a new module with each individual AVC, installing each > one and then testing dovecot, until you resolve the problem, and then > removing all of the other new modules until you confirm that you've > found one (or a minimal combination) of rules that is causing dovecot > to crash and log a backtrace. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Robert Moskowitz
2017-Apr-28 07:06 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Gordon, Thank you for your help on this. Still not working... On 04/26/2017 06:27 PM, Gordon Messmer wrote:> On 04/26/2017 12:29 AM, Robert Moskowitz wrote: >> But the policy generates errors. I will have to submit a bug report, >> it seems > > > A bug report would probably be helpful. > > I'm looking back at the message you wrote describing errors in > ld-2.17.so. I think what's happening is that the policy on your > system includes a silent rule that somehow breaks your system. You'll > need to turn on debugging (logging the otherwise silent AVCs) to > figure this out, in order to provide information that the maintainers > can use to actually fix the problem. > > So, similar to the previous process: > > 1: semodule -DB > 2: setenforce permissive > 3: tail -f /var/log/audit/audit.log | grep AVC > 4: use the service, exercise each function that's constrained by the > existing policy > 5: copy and paste the output from the terminal used for #2 into > "audit2allow -M <modulename>" > 6: setenforce enforcing > 7: semodule -B > > You'll want to do this with your custom policy installed. In the > terminal that's following audit.log, you should now see AVCs logged > that you didn't before. Please send them to the list. > > If you're only interested in resolving your problem, it should be > sufficient to build one new module with the AVCs logged here. If you > want to produce a useful bug report and fix the problem for the > future, for everyone, you need to first get back into enforcing mode > and THEN build a new module with each individual AVC, installing each > one and then testing dovecot, until you resolve the problem, and then > removing all of the other new modules until you confirm that you've > found one (or a minimal combination) of rules that is causing dovecot > to crash and log a backtrace.Here are the messages I got: type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh } for pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361695.041:49205): avc: denied { siginh } for pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361695.041:49205): avc: denied { noatsecure } for pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361695.978:49206): avc: denied { rlimitinh } for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361695.978:49206): avc: denied { siginh } for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361695.978:49206): avc: denied { noatsecure } for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361698.775:49208): avc: denied { rlimitinh } for pid=3056 comm="smtpd" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361698.775:49208): avc: denied { siginh } for pid=3056 comm="smtpd" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361698.775:49208): avc: denied { noatsecure } for pid=3056 comm="smtpd" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361699.102:49209): avc: denied { rlimitinh } for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361699.102:49209): avc: denied { siginh } for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361699.102:49209): avc: denied { noatsecure } for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361699.950:49210): avc: denied { rlimitinh } for pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361699.950:49210): avc: denied { siginh } for pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361699.950:49210): avc: denied { noatsecure } for pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361700.073:49211): avc: denied { rlimitinh } for pid=3064 comm="deliver" scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361700.073:49211): avc: denied { siginh } for pid=3064 comm="deliver" scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361700.073:49211): avc: denied { noatsecure } for pid=3064 comm="deliver" scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:system_r:dovecot_deliver_t:s0 tclass=process permissive=1 type=AVC msg=audit(1493361700.724:49212): avc: denied { open } for pid=3068 comm="dict" path="/etc/my.cnf.d" dev="sda3" ino=12779 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=dir permissive=1 type=USER_AVC msg=audit(1493361722.244:49216): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' I made the policy, applied it, and set my standard sendmail test: sendmail -i testit3 at test.htt-consult.com < /usr/share/doc/amavisd-new-2.10.1/test-messages/README It failed accessing mysql with the following maillog messages: Apr 28 02:55:11 z9m9z postfix/pickup[1554]: 8A0124CDA: uid=0 from=<root> Apr 28 02:55:11 z9m9z postfix/cleanup[3354]: 8A0124CDA: message-id=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com> Apr 28 02:55:11 z9m9z postfix/qmgr[6166]: 8A0124CDA: from=<root at z9m9z.test.htt-consult.com>, size=1424, nrcpt=1 (queue active) Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 129) line 172. Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) LMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20170427T030938-07341-6TygUJMr: <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com> SIZE=1424 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <testit3 at test.htt-consult.com>; Fri, 28 Apr 2017 02:55:11 -0400 (EDT) Apr 28 02:55:11 z9m9z amavis[7341]: (07341-17) Checking: A2vWsL1r3nYT [127.0.0.1] <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com> Apr 28 02:55:13 z9m9z postfix/smtpd[3363]: connect from localhost[127.0.0.1] Apr 28 02:55:14 z9m9z postfix/smtpd[3363]: 564C049E2: client=localhost[127.0.0.1], orig_client=unknown[127.0.0.1] Apr 28 02:55:14 z9m9z postfix/cleanup[3354]: 564C049E2: message-id=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com> Apr 28 02:55:14 z9m9z postfix/qmgr[6166]: 564C049E2: from=<root at z9m9z.test.htt-consult.com>, size=2136, nrcpt=1 (queue active) Apr 28 02:55:14 z9m9z postfix/smtpd[3363]: disconnect from localhost[127.0.0.1] Apr 28 02:55:14 z9m9z amavis[7341]: (07341-17) A2vWsL1r3nYT FWD from <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 564C049E2 Apr 28 02:55:14 z9m9z amavis[7341]: (07341-17) Passed CLEAN {RelayedInbound}, [127.0.0.1] <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>, Message-ID: <20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>, mail_id: A2vWsL1r3nYT, Hits: 2.973, size: 1424, queued_as: 564C049E2, 2645 ms Apr 28 02:55:14 z9m9z postfix/lmtp[3359]: 8A0124CDA: to=<testit3 at test.htt-consult.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.3, delays=0.47/0.11/0.03/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 564C049E2) Apr 28 02:55:14 z9m9z postfix/qmgr[6166]: 8A0124CDA: removed Apr 28 02:55:15 z9m9z dovecot: dict: Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): Error: Internal quota calculation error Apr 28 02:55:15 z9m9z dovecot: dict: Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 28 02:55:15 z9m9z dovecot: dict: Error: dict sql lookup failed: Not connected to database Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): Error: Internal quota calculation error Apr 28 02:55:15 z9m9z dovecot: lda(testit3 at test.htt-consult.com): sieve: msgid=<20170428065511.8A0124CDA at z9m9z.test.htt-consult.com>: stored mail into mailbox 'INBOX' Apr 28 02:55:15 z9m9z postfix/pipe[3370]: 564C049E2: to=<testit3 at test.htt-consult.com>, relay=dovecot, delay=0.9, delays=0.14/0.15/0/0.62, dsn=2.0.0, status=sent (delivered via dovecot service) Apr 28 02:55:15 z9m9z postfix/qmgr[6166]: 564C049E2: removed I set SELinux to permissive and it works: Apr 28 02:57:53 z9m9z postfix/pickup[1554]: DF38F4CDA: uid=0 from=<root> Apr 28 02:57:54 z9m9z postfix/cleanup[3419]: DF38F4CDA: message-id=<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com> Apr 28 02:57:54 z9m9z postfix/qmgr[6166]: DF38F4CDA: from=<root at z9m9z.test.htt-consult.com>, size=1424, nrcpt=1 (queue active) Apr 28 02:57:54 z9m9z amavis[7342]: (07342-17) LMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20170426T190541-07342-ifG0CeGq: <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com> SIZE=1424 Received: from z9m9z.test.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.test.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <testit3 at test.htt-consult.com>; Fri, 28 Apr 2017 02:57:54 -0400 (EDT) Apr 28 02:57:54 z9m9z amavis[7342]: (07342-17) Checking: wWh0cdDyySoD [127.0.0.1] <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com> Apr 28 02:57:55 z9m9z postfix/smtpd[3427]: connect from localhost[127.0.0.1] Apr 28 02:57:56 z9m9z postfix/smtpd[3427]: 428694AC1: client=localhost[127.0.0.1], orig_client=unknown[127.0.0.1] Apr 28 02:57:56 z9m9z postfix/cleanup[3419]: 428694AC1: message-id=<20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com> Apr 28 02:57:56 z9m9z postfix/qmgr[6166]: 428694AC1: from=<root at z9m9z.test.htt-consult.com>, size=2136, nrcpt=1 (queue active) Apr 28 02:57:56 z9m9z postfix/smtpd[3427]: disconnect from localhost[127.0.0.1] Apr 28 02:57:56 z9m9z amavis[7342]: (07342-17) wWh0cdDyySoD FWD from <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 428694AC1 Apr 28 02:57:56 z9m9z amavis[7342]: (07342-17) Passed CLEAN {RelayedInbound}, [127.0.0.1] <root at z9m9z.test.htt-consult.com> -> <testit3 at test.htt-consult.com>, Message-ID: <20170428065753.DF38F4CDA at z9m9z.test.htt-consult.com>, mail_id: wWh0cdDyySoD, Hits: 2.973, size: 1424, queued_as: 428694AC1, 2232 ms Apr 28 02:57:56 z9m9z postfix/lmtp[3424]: DF38F4CDA: to=<testit3 at test.htt-consult.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.9, delays=0.47/0.11/0.03/2.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 428694AC1) Apr 28 02:57:56 z9m9z postfix/qmgr[6166]: DF38F4CDA: removed So these additional policies stop all the memory errors, but still leave me not working with SELinux. When I get home Monday, I am going to rebuild the server. With my Howtos, this is not so hard. It could be that with all the testing, I dropped something in that I should not have. If I still have this problem, then it is bug report time. And then I will do it one AVC at a time with the policy building. Again, thanks
Gordon Messmer
2017-Apr-28 16:36 UTC
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/28/2017 12:06 AM, Robert Moskowitz wrote:> > Here are the messages I got: > > type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh } > for pid=3047 comm="cleanup" > scontext=system_u:system_r:postfix_master_t:s0 > tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process > permissive=1My advice would be to slow down, and solve one problem at a time. We were talking about testing dovecot, and now you're testing postfix. I know you need them both to work, but these are separate services, with their own individual policies. If you're going to submit a bug report, you need to be able to specifically describe the problem and the solution. You're not going to do that by mixing different services together.> sendmail -i testit3 at test.htt-consult.com < > /usr/share/doc/amavisd-new-2.10.1/test-messages/README > > It failed accessing mysql with the following maillog messages:Yes, but the policy you added earlier only granted MySQL access to dovecot. For postfix, you'll want to check for booleans first and then create a policy (without debugging AVCs) if no boolean exists, and then look at debugging AVCs if there are still issues (which is *almost* never the case).> > When I get home Monday, I am going to rebuild the server.That would be good. Keep a log of *all* of the changes you make to the system, from the very beginning. Once you resolve the problem, rebuild the server again and follow your log.