Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 07:29 AM, Robert Moskowitz wrote: On 04/26/2017 04:22 AM, Gordon Messmer wrote: On 04/25/2017 03:25 PM, Robert Moskowitz wrote: This made the same content as before that caused problems: I still don't understand, exactly. Are you seeing *new* problems after installing a policy? What are the problems? # The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. # Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock # This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; What do these 3 comments mean? I'm not sure about the first two. The context you see is the same I see on the one system where I run mysqld. Running restorecon doesn't change that context. As for the latter, it sounds like you should be able to remove your custom policy and "setsebool -P daemons_enable_cluster_mode 1" to allow dovecot to connect to mysql. did not work. it was set off, so I turned it on and tried it out. Got the same errors: Apr 26 01:25:45 z9m9z dovecot: dict: Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: Not connected to database You would think that the mysql people would have a boolean to allow specific apps to access the socket. And document it. mysql.org is really NOT helpful. They say: If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process. They only policy available is for allowing http to access mysql. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/26/2017 04:22 AM, Gordon Messmer wrote: On 04/25/2017 03:25 PM, Robert Moskowitz wrote: This made the same content as before that caused problems: I still don't understand, exactly. Are you seeing *new* problems after installing a policy? What are the problems? # The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. # Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock # This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; What do these 3 comments mean? I'm not sure about the first two. The context you see is the same I see on the one system where I run mysqld. Running restorecon doesn't change that context. As for the latter, it sounds like you should be able to remove your custom policy and "setsebool -P daemons_enable_cluster_mode 1" to allow dovecot to connect to mysql. did not work. it was set off, so I turned it on and tried it out. Got the same errors: Apr 26 01:25:45 z9m9z dovecot: dict: Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: Not connected to database You would think that the mysql people would have a boolean to allow specific apps to access the socket. And document it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauth logging
On Tue, Apr 25, 2017 at 07:14:56PM -0700, Gordon Messmer (gordon.mess...@gmail.com) wrote: > On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote: > > What I want is the IP address and if possible the incorrect password (just > > to see how far they are off). > > Is this possible? > > I hope not. That's a terrible idea. Every time a user fat-fingers their > password, your plain-text logs have a copy of their almost-correct password. > As always there are tradeoffs ... I have a reasonable strict password policy, so by looking at the failed passwords I can see how far the tries are off the real thing, so it actually is a good thing for me. Also I learn which passwords are used for cracking, which again is a good thing. As for the logged passwords - this is a non user server, only two people have access ... so reading the logs is difficult for imap/sendmail users in the company ... J -- Gravity does not exist, the Earth sucks. | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauth logging
On Tue, Apr 25, 2017 at 07:15:43PM -0700, John R Pierce (pie...@hogranch.com) wrote: > On 4/25/2017 7:00 PM, Jobst Schmalenbach wrote: > > snip > > client request originated from, so logging the IP of the failed request had > best be done at a higher layer. Good answer, makes sense. As for the higher layer used - can be either sendmail or imaps as both use the saslauth. Just need to find a way to "connect" the sasl request to the caller that issued the sasl request ... thx Jobst -- Student to Teacher: Sir, what's an oxymoron? Teacher to Student: Microsoft security. | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] kde panels not retaining launcher icon
greetings one and all. new install of centos 6.8. 3 kde panels @ left, top, right sides. left and top panel are for program selection. right panel for active running programs. added 'launcher' icons to left and top panels, but panels are not retaining launcher icons. when i close kde to save ~/.kde file and reopen kde, 1, 2, or all 3 panels will be missing launcher. has anyone else seen such or know of cure? much help appreciated. tia. -- The important thing is not to stop questioning. - Albert Einstein CentOS GNU/Linux 6.8 -- KDE 4.3.4 Firefox 45.7.0 -- Thunderbird 45.6.0 GNUCash 2.4.15 -- zoneminder 1.30.0 peace out. tc,hago. g . =+= Tired of having your microsoft os hacked? Change to Linux os, used by microsoft hackers. =+= in a world with out fences, who needs gates. =+= ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 03:25 PM, Robert Moskowitz wrote: This made the same content as before that caused problems: I still don't understand, exactly. Are you seeing *new* problems after installing a policy? What are the problems? # The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. # Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock # This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; What do these 3 comments mean? I'm not sure about the first two. The context you see is the same I see on the one system where I run mysqld. Running restorecon doesn't change that context. As for the latter, it sounds like you should be able to remove your custom policy and "setsebool -P daemons_enable_cluster_mode 1" to allow dovecot to connect to mysql. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauth logging
On 4/25/2017 7:00 PM, Jobst Schmalenbach wrote: Is it possible on to log a bit more detail when auth failure occurs when using saslauthd? saslauthd[2119]: do_auth : auth failure: [user=DELETED] [service=smtp] [realm=DELETED] [mech=pam] [reason=PAM auth error] What I want is the IP address and if possible the incorrect password (just to see how far they are off). Is this possible? what protocol are these users connecting with thats using saslauthd ? http or smtp or imap or what? I'm pretty sure that by the time you've gotten down to the SASL layer, saslauthd has no clue what iP address the client request originated from, so logging the IP of the failed request had best be done at a higher layer. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] saslauth logging
On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote: What I want is the IP address and if possible the incorrect password (just to see how far they are off). Is this possible? I hope not. That's a terrible idea. Every time a user fat-fingers their password, your plain-text logs have a copy of their almost-correct password. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] saslauth logging
Hi Not sure whether this is the correct list to ask ... if it's not please direct me to the correct one. Is it possible on to log a bit more detail when auth failure occurs when using saslauthd? saslauthd[2119]: do_auth : auth failure: [user=DELETED] [service=smtp] [realm=DELETED] [mech=pam] [reason=PAM auth error] What I want is the IP address and if possible the incorrect password (just to see how far they are off). Is this possible? thanks Jobst -- If a pig loses its voice, is it disgruntled? | |0| | Jobst Schmalenbach | | |0| jo...@barrett.com.au |0|0|0| General Manager ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 06:45 PM, Gordon Messmer wrote: On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote: Quick’n’(really) dirty SELinux howto: Alternate process: 1: setenforce permissive 2: tail -f /var/log/audit/audit.log | grep AVC 3: use the service, exercise each function that's constrained by the existing policy 4: copy and paste the output from the terminal used for #2 into "audit2allow -M " 5: setenforce enforcing This process is less iterative, which can save a *lot* of time building some policies. This made the same content as before that caused problems: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #= dovecot_t == allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; # The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. # Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock # This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; What do these 3 comments mean? I don't think I want to restorecon for a socket: # ls -Z /var/lib/mysql -rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log.0001 -rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log_control -rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 ibdata1 -rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile0 -rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile1 drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 performance_schema drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 postfix drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 roundcubemail What does the 3rd comment mean? thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 09:34 PM, Gordon Messmer wrote: On 04/25/2017 12:05 PM, Robert Moskowitz wrote: How do I undo the damage the last attempt caused? I'm not sure what damage you mean. If you installed a custom selinux module already and want to remove it, look at the files in /etc/selinux/targeted/modules/active/modules/. Those are the modules you've installed. Use "semodule -r " to remove the ones you don't need. OK. Got the old stuff removed. I was including the .pp in the . Left that off and the remove worked. Now to try your instructions, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 09:34 PM, Gordon Messmer wrote: On 04/25/2017 12:05 PM, Robert Moskowitz wrote: How do I undo the damage the last attempt caused? I'm not sure what damage you mean. If you installed a custom selinux module already and want to remove it, look at the files in /etc/selinux/targeted/modules/active/modules/. Nothing there. But I found entries with the same name I installed under /etc/selinux/targeted/active/modules/400 Those are the modules you've installed. Use "semodule -r " to remove the ones you don't need. So I tried this and it failed: # semodule -r myservice_policy.pp libsemanage.semanage_direct_remove_key: Unable to remove module myservice_policy.pp at priority 400. (No such file or directory). semodule: Failed! But it is there: # ls /etc/selinux/targeted/active/modules/400/ -ls total 4 4 drwx--. 2 root root 4096 Apr 25 05:10 myservice_policy # ls /etc/selinux/targeted/active/modules/400/myservice_policy/ -ls total 12 4 -rw-r--r--. 1 root root 177 Apr 25 05:10 cil 4 -rw-r--r--. 1 root root 325 Apr 25 05:10 hll 4 -rw-r--r--. 1 root root 2 Apr 25 05:09 lang_ext Do I simply delete these files? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 12:05 PM, Robert Moskowitz wrote: How do I undo the damage the last attempt caused? I'm not sure what damage you mean. If you installed a custom selinux module already and want to remove it, look at the files in /etc/selinux/targeted/modules/active/modules/. Those are the modules you've installed. Use "semodule -r " to remove the ones you don't need. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 06:45 PM, Gordon Messmer wrote: On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote: Quick’n’(really) dirty SELinux howto: Alternate process: 1: setenforce permissive 2: tail -f /var/log/audit/audit.log | grep AVC 3: use the service, exercise each function that's constrained by the existing policy 4: copy and paste the output from the terminal used for #2 into "audit2allow -M " 5: setenforce enforcing This process is less iterative, which can save a *lot* of time building some policies. How do I undo the damage the last attempt caused? I am on the road right now (Venice, IT to speak tomorrow on Identity Oriented Networking), and I left my test system running back home. To get to it is two SSH hops. The WiFi in this hotel is a pain. It times out after 1 hour and you have to do a web access. It does not understand things like IMAP and SSH... ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote: Quick’n’(really) dirty SELinux howto: Alternate process: 1: setenforce permissive 2: tail -f /var/log/audit/audit.log | grep AVC 3: use the service, exercise each function that's constrained by the existing policy 4: copy and paste the output from the terminal used for #2 into "audit2allow -M " 5: setenforce enforcing This process is less iterative, which can save a *lot* of time building some policies. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Odd disk automount issue on C7.3.1611
I'm posting here before going through all the fun to do up a real bug report to see if anyone else has seen this behavior. I have two identical Dynex external USB3 drive enclosures with identical 3TB drives in each enclosure. The dmesg output shows: $ dmesg |grep TOSHIBA [ 59.942546] scsi 7:0:0:0: Direct-Access TOSHIBA DT01ACA300PQ: 0 ANSI: 6 [ 86.301123] scsi 8:0:0:0: Direct-Access TOSHIBA DT01ACA300PQ: 0 ANSI: 6 $ HOWEVER, the 'Disks' utility program only sees the first one plugged-in, and not the second one. It doesn't matter which one I plug in first; the second one won't get seen by Disks nor will it get automounted. It doesn't even do the 'USB device inserted' sound, for that matter. As another oddity, one of the drives has a LUKS-encrypted ext4 filesystem; the other has an XFS filesystem; if I plug in the XFS-formatted drive first, the LUKS-encrypted on will no longer automount even if the XFS-formatted drive is unmounted and unplugged first, but the the converse does work (mount LUKS+ext4; unmount and unplug; plug in XFS, it gets automounted). If I plug in the LUKS+ext4 disk first, enter the passphrase, and let it mount, then plug in the XFS drive, I can then manually (from the command line) mount it just fine and both drives work just fine. Both drives work fine when used singly, but not when both are plugged-in. So, has anyone else seen this? I don't mind filing a bug report, but I am at a bit of a loss as to what component to file it under. I haven't dug into too many logs or other files as yet, but I can if I need to do so. I ran into this making an encrypted copy of the contents of the XFS disk, which will be wiped and reformated LUKS+ext4, and I'd like to make these two drives back each other up. If I plug in a different USB3 drive, such as my 4TB Seagate, everything works as expected; it seems to only be the identical drives that confuse whatever process is detecting this. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 828-862-5554 www.pari.edu ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sha256sum a dvd
On 04/24/2017 12:39 PM, Jonathan Billings wrote: On Mon, Apr 24, 2017 at 12:53:36PM -0400, James B. Byrne wrote: CentOS-6.9 I am trying to verify a locally created dvd. I am using sha256sum in this fashion: sha256sum /dev/sr0 Which gave this result: sha256sum: /dev/sr0: Input/output error So I tried this: sha256sum /dev/cdrom Which, after some time, also produces: sha256sum: /dev/cdrom: Input/output error What does this mean and how do I fix it? It means that you're getting an error while reading one of the sectors of the DVD. It might be a problem with the disc, but it could also be a problem with the hardware. Try doing a dd to copy all the bits to a local file, and pay attention to see if it has a problem reading the disc. Then run a sha256sum on the file it created. Note also that the sha256sum of the whole disk is going to include the padding that gets appended, and so will not match the sha256sum of the ISO file that was written to the disk. The "isosize" command will tell you the size of the original file, and you need to pass just that many bytes to the "sha256sum" command. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bonding mode balance-alb (6): How to control the assigned MAC address?
On 04/25/2017 12:32 PM, Frank Thommen wrote: Hi, we are trying to switch our bonding modes from 1 (active-backup) to 6 (balance-alb). However it seems, that these bond devices are not always getting the MAC address from the same slave. Sometimes the device gets the MAC address of the first and sometimes of the second slave. Since only the MAC address of the first slave device is (can be) registered in DHCP, this breaks connectivity (about) every second time we boot the computer. Is there a way to control which MAC address is assigned to the bonding device w/o configuring it explicitely in the ifcfg file? can you set it at bonding time with the nmcli command? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Bonding mode balance-alb (6): How to control the assigned MAC address?
Hi, we are trying to switch our bonding modes from 1 (active-backup) to 6 (balance-alb). However it seems, that these bond devices are not always getting the MAC address from the same slave. Sometimes the device gets the MAC address of the first and sometimes of the second slave. Since only the MAC address of the first slave device is (can be) registered in DHCP, this breaks connectivity (about) every second time we boot the computer. Is there a way to control which MAC address is assigned to the bonding device w/o configuring it explicitely in the ifcfg file? Cheers frank ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 11:41 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 11:36 +0200, Robert Moskowitz a écrit : On 04/25/2017 11:29 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit : /usr/lib/ld-2.17.so This file is not part of CentOS 7, nor CentOS 6 ? I am running Centos 7 armv7hl So it IS possible that I am missing something that did not get built right for armv7hl. We are often finding rpms that built, but did not get into the repo... So what provides ld-2.17.so for Centos 7 so I can backtrack it? .org/mailman/listinfo/centos Oh. I haven’t found out anything via yum provides on x86_84, that may explain why. Maybe someone running armv7hl could help, I don’t own such hardware running CentOS. There is always QEMM emulation of armv7... :) That *may* be a armv7hl port bug, I’m afraid I can’t help you more on that point :-/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 à 11:36 +0200, Robert Moskowitz a écrit : > > On 04/25/2017 11:29 AM, Laurent Wandrebeck wrote: > > Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit : > >> /usr/lib/ld-2.17.so > > This file is not part of CentOS 7, nor CentOS 6 ? > > I am running Centos 7 armv7hl > > So it IS possible that I am missing something that did not get built > right for armv7hl. We are often finding rpms that built, but did not > get into the repo... > > So what provides ld-2.17.so for Centos 7 so I can backtrack it? > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos Oh. I haven’t found out anything via yum provides on x86_84, that may explain why. Maybe someone running armv7hl could help, I don’t own such hardware running CentOS. That *may* be a armv7hl port bug, I’m afraid I can’t help you more on that point :-/ -- Laurent Wandrebeck___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 11:29 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit : /usr/lib/ld-2.17.so This file is not part of CentOS 7, nor CentOS 6 ? I am running Centos 7 armv7hl So it IS possible that I am missing something that did not get built right for armv7hl. We are often finding rpms that built, but did not get into the repo... So what provides ld-2.17.so for Centos 7 so I can backtrack it? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit : > /usr/lib/ld-2.17.so This file is not part of CentOS 7, nor CentOS 6 ? -- Laurent Wandrebeck___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit : On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit : Thanks Laurent. You obviously know a LOT more about SELinux than I. I pretty much just use commands and not build policies. So I need some more information here. From what you provided below, how do I determine what is currently in place and how do I add your stuff (changing postgresql with mysql, nat.) thanks Quick’n’(really) dirty SELinux howto: 1) Run the service. fails due to missing selinux policy. 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M myservice_policy Do you really mean 'service_pattern', or is this a placeholder for something like mysql? As I get 'Nothing to do' placeholder which changes according to your needs. I just made it worst. I put in mysql for myservice_policy, got a /pp and did: semodule -i myservice_policy.pp Now I get real errors like: Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc r-xp 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 00:00 0 Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd r--p 0001e000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd-b6fd1000 rw-p 0001f000 08:03 6076 /usr/lib/ld-2.17.so Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 00:00 0 [stack] Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 00:00 0 [sigpage] Apr 25 05:13:16 z9m9z dovecot: dict: Error: -1000 r-xp 00:00 0 [vectors] Which go away if I setenforce 0. :( myservice_policy.te has: module myservice_policy 1.0; require { type dovecot_t; type mysqld_etc_t; type mysqld_t; class unix_stream_socket connectto; class file { getattr open read }; class dir read; } #= dovecot_t == allow dovecot_t mysqld_etc_t:dir read; allow dovecot_t mysqld_etc_t:file { getattr open read }; # The file '/var/lib/mysql/mysql.sock' is mislabeled on your system. # Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock # This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow dovecot_t mysqld_t:unix_stream_socket connectto; ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit : > > On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: > > Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit : > >> Thanks Laurent. You obviously know a LOT more about SELinux than I. I > >> pretty much just use commands and not build policies. So I need some > >> more information here. > >> > >> From what you provided below, how do I determine what is currently in > >> place and how do I add your stuff (changing postgresql with mysql, nat.) > >> > >> thanks > > Quick’n’(really) dirty SELinux howto: > > 1) Run the service. fails due to missing selinux policy. > > 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M > > myservice_policy > > Do you really mean 'service_pattern', or is this a placeholder for > something like mysql? > > As I get 'Nothing to do' placeholder which changes according to your needs. -- Laurent Wandrebeck___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit : Thanks Laurent. You obviously know a LOT more about SELinux than I. I pretty much just use commands and not build policies. So I need some more information here. From what you provided below, how do I determine what is currently in place and how do I add your stuff (changing postgresql with mysql, nat.) thanks Quick’n’(really) dirty SELinux howto: 1) Run the service. fails due to missing selinux policy. 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M myservice_policy Do you really mean 'service_pattern', or is this a placeholder for something like mysql? As I get 'Nothing to do' 3) do what output says. (semodule -i myservice_policy.pp normally) 4) goto 1. That way, you’ll create and allow step by step necessary rights so your service ends up running normaly. The content I gave you is from mydovecot.te (human readable version of .pp created by audit2allow). After a quick look at audit2allow man, it looks like you can get .pp by doing: make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it’ll look after myservice_policy.te in PWD). HTH, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit : > Thanks Laurent. You obviously know a LOT more about SELinux than I. I > pretty much just use commands and not build policies. So I need some > more information here. > > From what you provided below, how do I determine what is currently in > place and how do I add your stuff (changing postgresql with mysql, nat.) > > thanks Quick’n’(really) dirty SELinux howto: 1) Run the service. fails due to missing selinux policy. 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M myservice_policy 3) do what output says. (semodule -i myservice_policy.pp normally) 4) goto 1. That way, you’ll create and allow step by step necessary rights so your service ends up running normaly. The content I gave you is from mydovecot.te (human readable version of .pp created by audit2allow). After a quick look at audit2allow man, it looks like you can get .pp by doing: make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it’ll look after myservice_policy.te in PWD). HTH, -- Laurent Wandrebeck___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Thanks Laurent. You obviously know a LOT more about SELinux than I. I pretty much just use commands and not build policies. So I need some more information here. From what you provided below, how do I determine what is currently in place and how do I add your stuff (changing postgresql with mysql, nat.) thanks On 04/25/2017 10:26 AM, Laurent Wandrebeck wrote: Le mardi 25 avril 2017 à 10:04 +0200, Robert Moskowitz a écrit : I thought I had this fixed, but I do not. I was away from this problem working on other matters, and came back (after a reboot) and it is still there, so I suspect when I thought I had it 'fixed' I was running with setenforce 0 from another problem (that is fixed). So anyone know how to get dovecot dict connecting to mysql when enforcing? Googling is not finding any real help. Hi, I’ve got some « tweaking » here (using postgresql, obviously) so that dovecot runs properly with SELinux enabled, HTH, Laurent. module mydovecot 1.0; require { type dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #= dovecot_auth_t == # This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; #= dovecot_t == # This avc is allowed in the current policy allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open link }; allow dovecot_t var_t:dir create; # This avc is allowed in the current policy allow dovecot_t var_t:dir { read write add_name remove_name }; # This avc is allowed in the current policy allow dovecot_t var_t:file { rename read lock create write getattr link unlink open append }; ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Le mardi 25 avril 2017 à 10:04 +0200, Robert Moskowitz a écrit : > I thought I had this fixed, but I do not. I was away from this problem > working on other matters, and came back (after a reboot) and it is still > there, so I suspect when I thought I had it 'fixed' I was running with > setenforce 0 from another problem (that is fixed). > > So anyone know how to get dovecot dict connecting to mysql when > enforcing? Googling is not finding any real help. Hi, I’ve got some « tweaking » here (using postgresql, obviously) so that dovecot runs properly with SELinux enabled, HTH, Laurent. module mydovecot 1.0; require { type dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #= dovecot_auth_t == # This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; #= dovecot_t == # This avc is allowed in the current policy allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open link }; allow dovecot_t var_t:dir create; # This avc is allowed in the current policy allow dovecot_t var_t:dir { read write add_name remove_name }; # This avc is allowed in the current policy allow dovecot_t var_t:file { rename read lock create write getattr link unlink open append }; -- Laurent Wandrebeck___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
I thought I had this fixed, but I do not. I was away from this problem working on other matters, and came back (after a reboot) and it is still there, so I suspect when I thought I had it 'fixed' I was running with setenforce 0 from another problem (that is fixed). So anyone know how to get dovecot dict connecting to mysql when enforcing? Googling is not finding any real help. On 04/07/2017 04:37 PM, Robert Moskowitz wrote: I have been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. So I googled dovecot mysql selinux and the only worthwhile hit was: http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html that provides a /etc/selinux/dovecot2mysql.te Is there a simpler way like a setsbool option? With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP). thanks! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos