CentOS - Apr 2017 - NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>
> Here are the messages I got:
>
> type=AVC msg=audit(1493361695.041:49205): avc:  denied  { rlimitinh } 
> for  pid=3047 comm="cleanup" 
> scontext=system_u:system_r:postfix_master_t:s0 
> tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process 
> permissive=1

My advice would be to slow down, and solve one problem at a time. We 
were talking about testing dovecot, and now you're testing postfix.  I 
know you need them both to work, but these are separate services, with 
their own individual policies.  If you're going to submit a bug report, 
you need to be able to specifically describe the problem and the 
solution.  You're not going to do that by mixing different services 
together.
> sendmail -i testit3 at test.htt-consult.com < 
> /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>
> It failed accessing mysql with the following maillog messages:
Yes, but the policy you added earlier only granted MySQL access to 
dovecot.  For postfix, you'll want to check for booleans first and then 
create a policy (without debugging AVCs) if no boolean exists, and then 
look at debugging AVCs if there are still issues (which is *almost* 
never the case).
>
> When I get home Monday, I am going to rebuild the server.
That would be good.  Keep a log of *all* of the changes you make to the 
system, from the very beginning.  Once you resolve the problem, rebuild 
the server again and follow your log.

On Fri, 28 Apr 2017, Gordon Messmer wrote:
> On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>>
>>  Here are the messages I got:
>>
>>  type=AVC msg=audit(1493361695.041:49205): avc:  denied  { rlimitinh }
for
>>  pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
>>  tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process
>>  permissive=1
>
>
> My advice would be to slow down, and solve one problem at a time. We were 
> talking about testing dovecot, and now you're testing postfix.  I know
you
> need them both to work, but these are separate services, with their own 
> individual policies.  If you're going to submit a bug report, you need
to be
> able to specifically describe the problem and the solution.  You're not
going
> to do that by mixing different services together.
>
>>  sendmail -i testit3 at test.htt-consult.com <
>>  /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>>
>>  It failed accessing mysql with the following maillog messages:
>
> Yes, but the policy you added earlier only granted MySQL access to dovecot.
> For postfix, you'll want to check for booleans first and then create a
policy
> (without debugging AVCs) if no boolean exists, and then look at debugging 
> AVCs if there are still issues (which is *almost* never the case).
>
>>
>>  When I get home Monday, I am going to rebuild the server.
>
> That would be good.  Keep a log of *all* of the changes you make to the 
> system, from the very beginning.  Once you resolve the problem, rebuild the
> server again and follow your log.
+1 to what Gordon said. It is the only way you are going to figure it out.

You could use something like Ansible so that you can rebuild the server the
same way in about 20 minutes. Yes, it takes time to get Ansible or something
similar to work but once you do, you can build the same thing as many times
as you need and they are always the same.

Just a thought.

Regards,

-- 
Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org

On 04/28/2017 08:07 PM, me at tdiehl.org wrote:
> On Fri, 28 Apr 2017, Gordon Messmer wrote:
>
>> On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>>>
>>>  Here are the messages I got:
>>>
>>>  type=AVC msg=audit(1493361695.041:49205): avc:  denied  {
rlimitinh
>>> } for
>>>  pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
>>>  tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process
>>>  permissive=1
>>
>>
>> My advice would be to slow down, and solve one problem at a time. We 
>> were talking about testing dovecot, and now you're testing postfix.
>> I know you need them both to work, but these are separate services, 
>> with their own individual policies.  If you're going to submit a
bug
>> report, you need to be able to specifically describe the problem and 
>> the solution.  You're not going to do that by mixing different 
>> services together.
>>
>>>  sendmail -i testit3 at test.htt-consult.com <
>>>  /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>>>
>>>  It failed accessing mysql with the following maillog messages:
>>
>> Yes, but the policy you added earlier only granted MySQL access to 
>> dovecot. For postfix, you'll want to check for booleans first and 
>> then create a policy (without debugging AVCs) if no boolean exists, 
>> and then look at debugging AVCs if there are still issues (which is 
>> *almost* never the case).
>>
>>>
>>>  When I get home Monday, I am going to rebuild the server.
>>
>> That would be good.  Keep a log of *all* of the changes you make to 
>> the system, from the very beginning.  Once you resolve the problem, 
>> rebuild the server again and follow your log.
>
> +1 to what Gordon said. It is the only way you are going to figure it 
> out.
>
> You could use something like Ansible so that you can rebuild the 
> server the
> same way in about 20 minutes. Yes, it takes time to get Ansible or 
> something
> similar to work but once you do, you can build the same thing as many 
> times
> as you need and they are always the same.
I think I have rather good instructions with which I can build the 
server quickly:

http://medon.htt-consult.com/Centos7-mailserver.html

Though I am going to drop mailgraph.  At first, looking at another site 
using it, I was impressed.  But not anymore.  Plus the pages are in 
German, and I really can't do the translation.

On 04/28/2017 06:36 PM, Gordon Messmer wrote:
> On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>>
>> Here are the messages I got:
>>
>> type=AVC msg=audit(1493361695.041:49205): avc:  denied  { rlimitinh } 
>> for  pid=3047 comm="cleanup" 
>> scontext=system_u:system_r:postfix_master_t:s0 
>> tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process 
>> permissive=1
>
>
> My advice would be to slow down, and solve one problem at a time.
I failed to look at the content of these messages and see that there was 
also a problem with postfix accessing mysql.  I was not getting any 
errors about this in maillog.
> We were talking about testing dovecot, and now you're testing postfix.
I would have to think a bit about how to test dovecot accessing mysql 
without it processing an email handed off to it by postfix.
>   I know you need them both to work, but these are separate services, 
> with their own individual policies.  If you're going to submit a bug 
> report, you need to be able to specifically describe the problem and 
> the solution.  You're not going to do that by mixing different 
> services together.
Nope.  But I see now there is a broader problem.
>
>> sendmail -i testit3 at test.htt-consult.com < 
>> /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>>
>> It failed accessing mysql with the following maillog messages:
>
> Yes, but the policy you added earlier only granted MySQL access to 
> dovecot.  For postfix, you'll want to check for booleans first and 
> then create a policy (without debugging AVCs) if no boolean exists, 
> and then look at debugging AVCs if there are still issues (which is 
> *almost* never the case).
So now I do some googling about postfix/mysql and SELinux.  Probably a 
better discussed combination.
>
>>
>> When I get home Monday, I am going to rebuild the server.
>
> That would be good.  Keep a log of *all* of the changes you make to 
> the system, from the very beginning.  Once you resolve the problem, 
> rebuild the server again and follow your log.