Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/26/2017 07:29 AM, Robert Moskowitz wrote:



On 04/26/2017 04:22 AM, Gordon Messmer wrote:

On 04/25/2017 03:25 PM, Robert Moskowitz wrote:

This made the same content as before that caused problems:


I still don't understand, exactly.  Are you seeing *new* problems 
after installing a policy?  What are the problems?


# The file '/var/lib/mysql/mysql.sock' is mislabeled on your 
system.

# Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
# This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'

allow dovecot_t mysqld_t:unix_stream_socket connectto;

What do these 3 comments mean?


I'm not sure about the first two.  The context you see is the same I 
see on the one system where I run mysqld.  Running restorecon doesn't 
change that context.


As for the latter, it sounds like you should be able to remove your 
custom policy and "setsebool -P daemons_enable_cluster_mode 1" to 
allow dovecot to connect to mysql.


did not work.  it was set off, so I turned it on and tried it out. Got 
the same errors:


Apr 26 01:25:45 z9m9z dovecot: dict: Error: 
mysql(/var/lib/mysql/mysql.sock): Connect failed to database 
(postfix): Can't connect to local MySQL server through socket 
'/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: 
Not connected to database


You would think that the mysql people would have a boolean to allow 
specific apps to access the socket.


And document it.


mysql.org is really NOT helpful.  They say:

If you are running under Linux and Security-Enhanced Linux (SELinux) is 
enabled, make sure you have disabled SELinux protection for the mysqld 
process.


They only policy available is for allowing http to access mysql.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/26/2017 04:22 AM, Gordon Messmer wrote:

On 04/25/2017 03:25 PM, Robert Moskowitz wrote:

This made the same content as before that caused problems:


I still don't understand, exactly.  Are you seeing *new* problems 
after installing a policy?  What are the problems?



# The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
# Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
# This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'

allow dovecot_t mysqld_t:unix_stream_socket connectto;

What do these 3 comments mean?


I'm not sure about the first two.  The context you see is the same I 
see on the one system where I run mysqld.  Running restorecon doesn't 
change that context.


As for the latter, it sounds like you should be able to remove your 
custom policy and "setsebool -P daemons_enable_cluster_mode 1" to 
allow dovecot to connect to mysql.


did not work.  it was set off, so I turned it on and tried it out. Got 
the same errors:


Apr 26 01:25:45 z9m9z dovecot: dict: Error: 
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): 
Can't connect to local MySQL server through socket 
'/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: Not 
connected to database


You would think that the mysql people would have a boolean to allow 
specific apps to access the socket.


And document it.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] saslauth logging

2017-04-25 Thread Jobst Schmalenbach 
On Tue, Apr 25, 2017 at 07:14:56PM -0700, Gordon Messmer 
(gordon.mess...@gmail.com) wrote:
> On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote:
> > What I want is the IP address and if possible the incorrect password (just 
> > to see how far they are off).
> > Is this possible?
> 
> I hope not.  That's a terrible idea.  Every time a user fat-fingers their
> password, your plain-text logs have a copy of their almost-correct password.
>

As always there are tradeoffs ... 
I have a reasonable strict password policy, so by looking at the failed 
passwords I can see how far the tries are off the real thing, so it actually is 
a good thing for me. Also I learn which passwords are used for cracking, which 
again is a good thing. As for the logged passwords - this is a non user server, 
only two people have access ... so reading the logs is difficult for 
imap/sendmail users in the company ...

J


-- 
Gravity does not exist, the Earth sucks.

  | |0| |   Jobst Schmalenbach, jo...@barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] saslauth logging

2017-04-25 Thread Jobst Schmalenbach 
On Tue, Apr 25, 2017 at 07:15:43PM -0700, John R Pierce (pie...@hogranch.com) 
wrote:
> On 4/25/2017 7:00 PM, Jobst Schmalenbach wrote:
>
> snip
>
> client request originated from, so logging the IP of the failed request had
> best be done at a higher layer.

Good answer, makes sense.
As for the higher layer used - can be either sendmail or imaps as both use the 
saslauth.
Just need to find a way to "connect" the sasl request to the caller that issued 
the sasl request ...

thx
Jobst





-- 
Student to Teacher: Sir, what's an oxymoron?  Teacher to Student: Microsoft 
security.

  | |0| |   Jobst Schmalenbach, jo...@barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L & The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] kde panels not retaining launcher icon

2017-04-25 Thread geo.inbox.ignored 

greetings one and all.

new install of centos 6.8.

3 kde panels @ left, top, right sides.

left and top panel are for program selection. right panel for active running
programs.

added 'launcher' icons to left and top panels, but panels are not retaining
launcher icons.

when i close kde to save ~/.kde file and reopen kde, 1, 2, or all 3 panels
will be missing launcher.

has anyone else seen such or know of cure?

much help appreciated.

tia.


-- 

The important thing is not to stop questioning.
 - Albert Einstein


CentOS GNU/Linux 6.8 -- KDE 4.3.4
Firefox 45.7.0 -- Thunderbird 45.6.0
GNUCash 2.4.15 -- zoneminder 1.30.0


peace out.

tc,hago.

g
.

=+=
Tired of having your microsoft os hacked?
Change to Linux os, used by microsoft hackers.
=+=
in a world with out fences, who needs gates.
=+=
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Gordon Messmer 

On 04/25/2017 03:25 PM, Robert Moskowitz wrote:

This made the same content as before that caused problems:


I still don't understand, exactly.  Are you seeing *new* problems after 
installing a policy?  What are the problems?



# The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
# Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
# This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'

allow dovecot_t mysqld_t:unix_stream_socket connectto;

What do these 3 comments mean?


I'm not sure about the first two.  The context you see is the same I see 
on the one system where I run mysqld.  Running restorecon doesn't change 
that context.


As for the latter, it sounds like you should be able to remove your 
custom policy and "setsebool -P daemons_enable_cluster_mode 1" to allow 
dovecot to connect to mysql.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] saslauth logging

2017-04-25 Thread John R Pierce 

On 4/25/2017 7:00 PM, Jobst Schmalenbach wrote:

Is it possible on to log a bit more detail when auth failure occurs when using 
saslauthd?

   saslauthd[2119]: do_auth : auth failure: [user=DELETED] [service=smtp] 
[realm=DELETED] [mech=pam] [reason=PAM auth error]

What I want is the IP address and if possible the incorrect password (just to 
see how far they are off).
Is this possible?



what protocol are these users connecting with thats using saslauthd 
?  http or smtp or imap or what?   I'm pretty sure that by the time 
you've gotten down to the SASL layer, saslauthd has no clue what iP 
address the client request originated from, so logging the IP of the 
failed request had best be done at a higher layer.



--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] saslauth logging

2017-04-25 Thread Gordon Messmer 

On 04/25/2017 07:00 PM, Jobst Schmalenbach wrote:

What I want is the IP address and if possible the incorrect password (just to 
see how far they are off).
Is this possible?



I hope not.  That's a terrible idea.  Every time a user fat-fingers 
their password, your plain-text logs have a copy of their almost-correct 
password.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] saslauth logging

2017-04-25 Thread Jobst Schmalenbach 
Hi

Not sure whether this is the correct list to ask ... if it's not please direct 
me to the correct one.

Is it possible on to log a bit more detail when auth failure occurs when using 
saslauthd?

  saslauthd[2119]: do_auth : auth failure: [user=DELETED] [service=smtp] 
[realm=DELETED] [mech=pam] [reason=PAM auth error]

What I want is the IP address and if possible the incorrect password (just to 
see how far they are off).
Is this possible?


thanks
Jobst





-- 
If a pig loses its voice, is it disgruntled?

  | |0| |   Jobst Schmalenbach
  | | |0|   jo...@barrett.com.au
  |0|0|0|   General Manager
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 06:45 PM, Gordon Messmer wrote:

On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:

Quick’n’(really) dirty SELinux howto:



Alternate process:

1: setenforce permissive
2: tail -f /var/log/audit/audit.log | grep AVC
3: use the service, exercise each function that's constrained by the 
existing policy
4: copy and paste the output from the terminal used for #2 into 
"audit2allow -M "

5: setenforce enforcing

This process is less iterative, which can save a *lot* of time 
building some policies.


This made the same content as before that caused problems:


module myservice_policy 1.0;

require {
type dovecot_t;
type mysqld_etc_t;
type mysqld_t;
class unix_stream_socket connectto;
class file { getattr open read };
class dir read;
}

#= dovecot_t ==
allow dovecot_t mysqld_etc_t:dir read;
allow dovecot_t mysqld_etc_t:file { getattr open read };

# The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
# Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
# This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'

allow dovecot_t mysqld_t:unix_stream_socket connectto;

What do these 3 comments mean?  I don't think I want to restorecon for a 
socket:


# ls -Z /var/lib/mysql
-rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log.0001
-rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log_control
-rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 ibdata1
-rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile0
-rw-rw. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile1
drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock
drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 performance_schema
drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 postfix
drwx--. mysql mysql system_u:object_r:mysqld_db_t:s0 roundcubemail

What does the 3rd comment mean?

thanks

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 09:34 PM, Gordon Messmer wrote:

On 04/25/2017 12:05 PM, Robert Moskowitz wrote:


How do I undo the damage the last attempt caused? 


I'm not sure what damage you mean.

If you installed a custom selinux module already and want to remove 
it, look at the files in 
/etc/selinux/targeted/modules/active/modules/.  Those are the modules 
you've installed.  Use "semodule -r " to remove the ones 
you don't need.


OK.  Got the old stuff removed.  I was including the .pp in the 
.  Left that off and the remove worked.


Now to try your instructions,


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 09:34 PM, Gordon Messmer wrote:

On 04/25/2017 12:05 PM, Robert Moskowitz wrote:


How do I undo the damage the last attempt caused? 


I'm not sure what damage you mean.

If you installed a custom selinux module already and want to remove 
it, look at the files in /etc/selinux/targeted/modules/active/modules/.


Nothing there.  But I found entries with the same name I installed under

/etc/selinux/targeted/active/modules/400

Those are the modules you've installed.  Use "semodule -r 
" to remove the ones you don't need.

So I tried this and it failed:

# semodule -r myservice_policy.pp
libsemanage.semanage_direct_remove_key: Unable to remove module 
myservice_policy.pp at priority 400. (No such file or directory).

semodule:  Failed!

But it is there:

# ls /etc/selinux/targeted/active/modules/400/ -ls
total 4
4 drwx--. 2 root root 4096 Apr 25 05:10 myservice_policy

# ls /etc/selinux/targeted/active/modules/400/myservice_policy/ -ls
total 12
4 -rw-r--r--. 1 root root 177 Apr 25 05:10 cil
4 -rw-r--r--. 1 root root 325 Apr 25 05:10 hll
4 -rw-r--r--. 1 root root   2 Apr 25 05:09 lang_ext

Do I simply delete these files?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Gordon Messmer 

On 04/25/2017 12:05 PM, Robert Moskowitz wrote:


How do I undo the damage the last attempt caused? 


I'm not sure what damage you mean.

If you installed a custom selinux module already and want to remove it, 
look at the files in /etc/selinux/targeted/modules/active/modules/.  
Those are the modules you've installed.  Use "semodule -r " 
to remove the ones you don't need.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 06:45 PM, Gordon Messmer wrote:

On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:

Quick’n’(really) dirty SELinux howto:



Alternate process:

1: setenforce permissive
2: tail -f /var/log/audit/audit.log | grep AVC
3: use the service, exercise each function that's constrained by the 
existing policy
4: copy and paste the output from the terminal used for #2 into 
"audit2allow -M "

5: setenforce enforcing

This process is less iterative, which can save a *lot* of time 
building some policies.


How do I undo the damage the last attempt caused?

I am on the road right now (Venice, IT to speak tomorrow on Identity 
Oriented Networking), and I left my test system running back home. To 
get to it is two SSH hops.  The WiFi in this hotel is a pain.  It times 
out after 1 hour and you have to do a web access.  It does not 
understand things like IMAP and SSH...



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Gordon Messmer 

On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:

Quick’n’(really) dirty SELinux howto:



Alternate process:

1: setenforce permissive
2: tail -f /var/log/audit/audit.log | grep AVC
3: use the service, exercise each function that's constrained by the 
existing policy
4: copy and paste the output from the terminal used for #2 into 
"audit2allow -M "

5: setenforce enforcing

This process is less iterative, which can save a *lot* of time building 
some policies.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Odd disk automount issue on C7.3.1611

2017-04-25 Thread Lamar Owen 
I'm posting here before going through all the fun to do up a real bug 
report to see if anyone else has seen this behavior.


I have two identical Dynex external USB3 drive enclosures with identical 
3TB drives in each enclosure.  The dmesg output shows:

$ dmesg |grep TOSHIBA
[   59.942546] scsi 7:0:0:0: Direct-Access TOSHIBA 
DT01ACA300PQ: 0 ANSI: 6
[   86.301123] scsi 8:0:0:0: Direct-Access TOSHIBA 
DT01ACA300PQ: 0 ANSI: 6

$

HOWEVER, the 'Disks' utility program only sees the first one plugged-in, 
and not the second one.  It doesn't matter which one I plug in first; 
the second one won't get seen by Disks nor will it get automounted.  It 
doesn't even do the 'USB device inserted' sound, for that matter.  As 
another oddity, one of the drives has a LUKS-encrypted ext4 filesystem; 
the other has an XFS filesystem; if I plug in the XFS-formatted drive 
first, the LUKS-encrypted on will no longer automount even if the 
XFS-formatted drive is unmounted and unplugged first, but the the 
converse does work (mount LUKS+ext4; unmount and unplug; plug in XFS, it 
gets automounted).


If I plug in the LUKS+ext4 disk first, enter the passphrase, and let it 
mount, then plug in the XFS drive, I can then manually (from the command 
line) mount it just fine and both drives work just fine. Both drives 
work fine when used singly, but not when both are plugged-in.


So, has anyone else seen this?  I don't mind filing a bug report, but I 
am at a bit of a loss as to what component to file it under. I haven't 
dug into too many logs or other files as yet, but I can if I need to do 
so.  I ran into this making an encrypted copy of the contents of the XFS 
disk, which will be wiped and reformated LUKS+ext4, and I'd like to make 
these two drives back each other up.


If I plug in a different USB3 drive, such as my 4TB Seagate, everything 
works as expected; it seems to only be the identical drives that confuse 
whatever process is detecting this.


--
Lamar Owen
Chief Information Officer
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
828-862-5554
www.pari.edu

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] sha256sum a dvd

2017-04-25 Thread Robert Nichols 

On 04/24/2017 12:39 PM, Jonathan Billings wrote:

On Mon, Apr 24, 2017 at 12:53:36PM -0400, James B. Byrne wrote:


CentOS-6.9

I am trying to verify a locally created dvd.  I am using sha256sum in
this fashion:
sha256sum /dev/sr0

Which gave this result:

sha256sum: /dev/sr0: Input/output error


So I tried this:
sha256sum /dev/cdrom

Which, after some time, also produces:

sha256sum: /dev/cdrom: Input/output error

What does this mean and how do I fix it?


It means that you're getting an error while reading one of the sectors
of the DVD.  It might be a problem with the disc, but it could also be
a problem with the hardware.

Try doing a dd to copy all the bits to a local file, and pay attention
to see if it has a problem reading the disc.  Then run a sha256sum on
the file it created.
 
Note also that the sha256sum of the whole disk is going to include the padding that gets appended, and so will not match the sha256sum of the ISO file that was written to the disk. The "isosize" command will tell you the size of the original file, and you need to pass just that many bytes to the "sha256sum" command.


--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bonding mode balance-alb (6): How to control the assigned MAC address?

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 12:32 PM, Frank Thommen wrote:

Hi,

we are trying to switch our bonding modes from 1 (active-backup) to 6 
(balance-alb).  However it seems, that these bond devices are not 
always getting the MAC address from the same slave.  Sometimes the 
device gets the MAC address of the first and sometimes of the second 
slave.  Since only the MAC address of the first slave device is (can 
be) registered in DHCP, this breaks connectivity (about) every second 
time we boot the computer.


Is there a way to control which MAC address is assigned to the bonding 
device w/o configuring it explicitely in the ifcfg file?


can you set it at bonding time with the nmcli command?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Bonding mode balance-alb (6): How to control the assigned MAC address?

2017-04-25 Thread Frank Thommen 

Hi,

we are trying to switch our bonding modes from 1 (active-backup) to 6 
(balance-alb).  However it seems, that these bond devices are not always 
getting the MAC address from the same slave.  Sometimes the device gets 
the MAC address of the first and sometimes of the second slave.  Since 
only the MAC address of the first slave device is (can be) registered in 
DHCP, this breaks connectivity (about) every second time we boot the 
computer.


Is there a way to control which MAC address is assigned to the bonding 
device w/o configuring it explicitely in the ifcfg file?


Cheers
frank


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 11:41 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 11:36 +0200, Robert Moskowitz a écrit :

On 04/25/2017 11:29 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit :

/usr/lib/ld-2.17.so

This file is not part of CentOS 7, nor CentOS 6 ?

I am running Centos 7 armv7hl

So it IS possible that I am missing something that did not get built
right for armv7hl.  We are often finding rpms that built, but did not
get into the repo...

So what provides ld-2.17.so for Centos 7 so I can backtrack it?

.org/mailman/listinfo/centos

Oh. I haven’t found out anything via yum provides on x86_84, that may
explain why.

Maybe someone running armv7hl could help, I don’t own such hardware
running CentOS.


There is always QEMM emulation of armv7...  :)


  That *may* be a armv7hl port bug, I’m afraid I can’t
help you more on that point :-/


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Laurent Wandrebeck 
Le mardi 25 avril 2017 à 11:36 +0200, Robert Moskowitz a écrit :
> 
> On 04/25/2017 11:29 AM, Laurent Wandrebeck wrote:
> > Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit :
> >> /usr/lib/ld-2.17.so
> > This file is not part of CentOS 7, nor CentOS 6 ?
> 
> I am running Centos 7 armv7hl
> 
> So it IS possible that I am missing something that did not get built 
> right for armv7hl.  We are often finding rpms that built, but did not 
> get into the repo...
> 
> So what provides ld-2.17.so for Centos 7 so I can backtrack it?
> 
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Oh. I haven’t found out anything via yum provides on x86_84, that may
explain why.

Maybe someone running armv7hl could help, I don’t own such hardware
running CentOS. That *may* be a armv7hl port bug, I’m afraid I can’t
help you more on that point :-/
-- 
Laurent Wandrebeck 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 11:29 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit :

/usr/lib/ld-2.17.so

This file is not part of CentOS 7, nor CentOS 6 ?


I am running Centos 7 armv7hl

So it IS possible that I am missing something that did not get built 
right for armv7hl.  We are often finding rpms that built, but did not 
get into the repo...


So what provides ld-2.17.so for Centos 7 so I can backtrack it?


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Laurent Wandrebeck 
Le mardi 25 avril 2017 à 11:19 +0200, Robert Moskowitz a écrit :
> /usr/lib/ld-2.17.so

This file is not part of CentOS 7, nor CentOS 6 ?
-- 
Laurent Wandrebeck 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 11:12 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :

On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :

Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I
pretty much just use commands and not build policies.  So I need some
more information here.

   From what you provided below, how do I determine what is currently in
place and how do I add your stuff (changing postgresql with mysql, nat.)

thanks

Quick’n’(really) dirty SELinux howto:
1) Run the service. fails due to missing selinux policy.
2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy

Do you really mean 'service_pattern', or is this a placeholder for
something like mysql?

As I get 'Nothing to do'

placeholder which changes according to your needs.
I just made it worst.  I put in mysql for myservice_policy, got a /pp 
and did:


semodule -i myservice_policy.pp


Now I get real errors like:

Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fa1000-b6fc r-xp 
 08:03 6076   /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fc5000-b6fc7000 rw-p 
 00:00 0
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcd000-b6fcf000 rw-p 
 00:00 0
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fcf000-b6fd r--p 
0001e000 08:03 6076   /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: b6fd-b6fd1000 rw-p 
0001f000 08:03 6076   /usr/lib/ld-2.17.so
Apr 25 05:13:16 z9m9z dovecot: dict: Error: bee46000-bee67000 rw-p 
 00:00 0  [stack]
Apr 25 05:13:16 z9m9z dovecot: dict: Error: beec5000-beec6000 r-xp 
 00:00 0  [sigpage]
Apr 25 05:13:16 z9m9z dovecot: dict: Error: -1000 r-xp 
 00:00 0  [vectors]


Which go away if I setenforce 0.  :(

myservice_policy.te has:


module myservice_policy 1.0;

require {
type dovecot_t;
type mysqld_etc_t;
type mysqld_t;
class unix_stream_socket connectto;
class file { getattr open read };
class dir read;
}

#= dovecot_t ==
allow dovecot_t mysqld_etc_t:dir read;
allow dovecot_t mysqld_etc_t:file { getattr open read };

# The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
# Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
# This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'

allow dovecot_t mysqld_t:unix_stream_socket connectto;


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Laurent Wandrebeck 
Le mardi 25 avril 2017 à 11:07 +0200, Robert Moskowitz a écrit :
> 
> On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:
> > Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
> >> Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I
> >> pretty much just use commands and not build policies.  So I need some
> >> more information here.
> >>
> >>   From what you provided below, how do I determine what is currently in
> >> place and how do I add your stuff (changing postgresql with mysql, nat.)
> >>
> >> thanks
> > Quick’n’(really) dirty SELinux howto:
> > 1) Run the service. fails due to missing selinux policy.
> > 2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
> > myservice_policy
> 
> Do you really mean 'service_pattern', or is this a placeholder for 
> something like mysql?
> 
> As I get 'Nothing to do'

placeholder which changes according to your needs.
-- 
Laurent Wandrebeck 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 



On 04/25/2017 10:58 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :

Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I
pretty much just use commands and not build policies.  So I need some
more information here.

  From what you provided below, how do I determine what is currently in
place and how do I add your stuff (changing postgresql with mysql, nat.)

thanks

Quick’n’(really) dirty SELinux howto:
1) Run the service. fails due to missing selinux policy.
2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy


Do you really mean 'service_pattern', or is this a placeholder for 
something like mysql?


As I get 'Nothing to do'


3) do what output says. (semodule -i myservice_policy.pp normally)
4) goto 1. That way, you’ll create and allow step by step necessary
rights so your service ends up running normaly.

The content I gave you is from mydovecot.te (human readable version
of .pp created by audit2allow).

After a quick look at audit2allow man, it looks like you can get .pp by
doing:
make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it’ll
look after myservice_policy.te in PWD).

HTH,


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Laurent Wandrebeck 
Le mardi 25 avril 2017 à 10:39 +0200, Robert Moskowitz a écrit :
> Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I 
> pretty much just use commands and not build policies.  So I need some 
> more information here.
> 
>  From what you provided below, how do I determine what is currently in 
> place and how do I add your stuff (changing postgresql with mysql, nat.)
> 
> thanks

Quick’n’(really) dirty SELinux howto:
1) Run the service. fails due to missing selinux policy.
2) grep service_pattern /var/log/audit/audit.log | audit2allow -M
myservice_policy
3) do what output says. (semodule -i myservice_policy.pp normally)
4) goto 1. That way, you’ll create and allow step by step necessary
rights so your service ends up running normaly.

The content I gave you is from mydovecot.te (human readable version
of .pp created by audit2allow).

After a quick look at audit2allow man, it looks like you can get .pp by
doing:
make -f /usr/share/selinux/devel/Makefile myservice_policy.pp (it’ll
look after myservice_policy.te in PWD).

HTH,
-- 
Laurent Wandrebeck 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 
Thanks Laurent.  You obviously know a LOT more about SELinux than I.  I 
pretty much just use commands and not build policies.  So I need some 
more information here.


From what you provided below, how do I determine what is currently in 
place and how do I add your stuff (changing postgresql with mysql, nat.)


thanks

On 04/25/2017 10:26 AM, Laurent Wandrebeck wrote:

Le mardi 25 avril 2017 à 10:04 +0200, Robert Moskowitz a écrit :

I thought I had this fixed, but I do not.  I was away from this problem
working on other matters, and came back (after a reboot) and it is still
there, so I suspect when I thought I had it 'fixed' I was running with
setenforce 0 from another problem (that is fixed).

So anyone know how to get dovecot dict connecting to mysql when
enforcing?  Googling is not finding any real help.

Hi,

I’ve got some « tweaking » here (using postgresql, obviously) so that
dovecot runs properly with SELinux enabled,

HTH,
Laurent.

module mydovecot 1.0;

require {
 type dovecot_auth_t;
 type postgresql_port_t;
 type dovecot_t;
 type var_t;
 type postfix_virtual_tmp_t;
 class tcp_socket name_connect;
 class file { rename read lock create write getattr link unlink
open append };
 class dir { read write create add_name remove_name };
}

#= dovecot_auth_t ==

# This avc is allowed in the current policy
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;

#= dovecot_t ==

# This avc is allowed in the current policy
allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
link };
allow dovecot_t var_t:dir create;

# This avc is allowed in the current policy
allow dovecot_t var_t:dir { read write add_name remove_name };

# This avc is allowed in the current policy
allow dovecot_t var_t:file { rename read lock create write getattr link
unlink open append };



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Laurent Wandrebeck 
Le mardi 25 avril 2017 à 10:04 +0200, Robert Moskowitz a écrit :
> I thought I had this fixed, but I do not.  I was away from this problem 
> working on other matters, and came back (after a reboot) and it is still 
> there, so I suspect when I thought I had it 'fixed' I was running with 
> setenforce 0 from another problem (that is fixed).
> 
> So anyone know how to get dovecot dict connecting to mysql when 
> enforcing?  Googling is not finding any real help.

Hi,

I’ve got some « tweaking » here (using postgresql, obviously) so that
dovecot runs properly with SELinux enabled,

HTH,
Laurent.

module mydovecot 1.0;

require {
type dovecot_auth_t;
type postgresql_port_t;
type dovecot_t;
type var_t;
type postfix_virtual_tmp_t;
class tcp_socket name_connect;
class file { rename read lock create write getattr link unlink
open append };
class dir { read write create add_name remove_name };
}

#= dovecot_auth_t ==

# This avc is allowed in the current policy
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;

#= dovecot_t ==

# This avc is allowed in the current policy
allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
link };
allow dovecot_t var_t:dir create;

# This avc is allowed in the current policy
allow dovecot_t var_t:dir { read write add_name remove_name };

# This avc is allowed in the current policy
allow dovecot_t var_t:file { rename read lock create write getattr link
unlink open append };

-- 
Laurent Wandrebeck 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

2017-04-25 Thread Robert Moskowitz 
I thought I had this fixed, but I do not.  I was away from this problem 
working on other matters, and came back (after a reboot) and it is still 
there, so I suspect when I thought I had it 'fixed' I was running with 
setenforce 0 from another problem (that is fixed).


So anyone know how to get dovecot dict connecting to mysql when 
enforcing?  Googling is not finding any real help.


On 04/07/2017 04:37 PM, Robert Moskowitz wrote:

I have been getting the following on my new mailserver:

Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
failed to database (postfix): Can't connect to local MySQL server 
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 
seconds before retry


They go away when I setenforce 0.

So I googled dovecot mysql selinux and the only worthwhile hit was:

http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html 



that provides a /etc/selinux/dovecot2mysql.te

Is there a simpler way like a setsbool option?

With all the howtos on dovecot with mysql, it is interesting that none 
of them seem to have this problem.  Maybe because they connect to 
mysql through TCP port 3306 which has ITS set of problems (like 
MariaDB defaults to not listening on TCP).


thanks!

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos