Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On Fri, 28 Apr 2017, Gordon Messmer wrote:
On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
Here are the messages I got:
type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh } for
pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process
permissive=1
My advice would be to slow down, and solve one problem at a time. We were
talking about testing dovecot, and now you're testing postfix. I know you
need them both to work, but these are separate services, with their own
individual policies. If you're going to submit a bug report, you need to be
able to specifically describe the problem and the solution. You're not going
to do that by mixing different services together.
sendmail -i test...@test.htt-consult.com <
/usr/share/doc/amavisd-new-2.10.1/test-messages/README
It failed accessing mysql with the following maillog messages:
Yes, but the policy you added earlier only granted MySQL access to dovecot.
For postfix, you'll want to check for booleans first and then create a policy
(without debugging AVCs) if no boolean exists, and then look at debugging
AVCs if there are still issues (which is *almost* never the case).
When I get home Monday, I am going to rebuild the server.
That would be good. Keep a log of *all* of the changes you make to the
system, from the very beginning. Once you resolve the problem, rebuild the
server again and follow your log.
+1 to what Gordon said. It is the only way you are going to figure it out.
You could use something like Ansible so that you can rebuild the server the
same way in about 20 minutes. Yes, it takes time to get Ansible or something
similar to work but once you do, you can build the same thing as many times
as you need and they are always the same.
Just a thought.
Regards,
--
Tom m...@tdiehl.org Spamtrap address
me...@tdiehl.org
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
Here are the messages I got:
type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh }
for pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process
permissive=1
My advice would be to slow down, and solve one problem at a time. We
were talking about testing dovecot, and now you're testing postfix. I
know you need them both to work, but these are separate services, with
their own individual policies. If you're going to submit a bug report,
you need to be able to specifically describe the problem and the
solution. You're not going to do that by mixing different services
together.
sendmail -i test...@test.htt-consult.com <
/usr/share/doc/amavisd-new-2.10.1/test-messages/README
It failed accessing mysql with the following maillog messages:
Yes, but the policy you added earlier only granted MySQL access to
dovecot. For postfix, you'll want to check for booleans first and then
create a policy (without debugging AVCs) if no boolean exists, and then
look at debugging AVCs if there are still issues (which is *almost*
never the case).
When I get home Monday, I am going to rebuild the server.
That would be good. Keep a log of *all* of the changes you make to the
system, from the very beginning. Once you resolve the problem, rebuild
the server again and follow your log.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SAN certificates for multiple domains and multiple services
On 04/28/2017 01:37 AM, Nicolas Kovacs wrote: So before I go any further with this, I'm asking the more technically proficient admins here. Are there any drawbacks to using this solution? Until you run in to the limit of 100 domains per cert, I think the process you described is preferred. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SAN certificates for multiple domains and multiple services
I'm not sure I understand fully what you are doing but for postfix, use self-signed certs. I have a script for generating a self-signed X.509v3 with SAN https://github.com/AliceWonderMiscreations/SimpleCA/blob/master/keyGenMX_Dane.sh (that project is not even close to being ready yet, ignore the various .md files there, but that particular script is ready and I use it in production) The way that script is used - sh keyGenMX_Dane.sh example1.com example2.com example1.net example2.net It will create a self-signed X.509v3 certificate with SAN for whatever domains are listed as arguments. It creates a 3-year certificate, you can edit it to do longer if you want. It creates 3072-bit RSA but you can edit the script to do 2048 or 4096 if you prefer. Whatever you use, it is recommended your postfix be configured to use DH parameters of equal or greater bits. It also calculates the DANE TLSA fingerprints if you want to use those with DNSSEC but you don't have to. -=- Spending money on a commercial CA signed certificate for postfix is a waste of money because other servers don't check the certificate before sending, because the alternative to encryption is plain text anyway. On 04/28/2017 01:37 AM, Nicolas Kovacs wrote: Hi, I'm currently installing and configuring CentOS 7 on a public server. The machine will host a few small-to-midsize projects that are currently running on a handful of Slackware servers: public library databases, our public school's agenda, a small webradio, OwnCloud for myself and a local non-profit, etc. Until recently I've mostly used self-signed SSL certificates for stuff needing a secure connection. Then, some time ago, I discovered LetsEncrypt and Certbot, which works very well, so I moved secure web hosting to using a free LetsEncrypt certificate. Now I want to take this to the next level and use these free certificates for multiple services. Not only web hosting, but also Postfix/Dovecot for mail and Prosody for XMPP. I had to fiddle a bit for permissions, so everything can access the certificate and key files right. I created a certs group and gave everything under /etc/letsencrypt/live to root:certs. Then, when a system user has to access this stuff, I simply add him to the certs group. Then came a moment when I hit a wall, because Postfix can't handle multiple certificates, only one. Let's say I have these domains on my server: * example1.com * example2.com * example1.net * example2.net When setting up Postfix, I can do one of these things: 1. continue to use a self-signed SSL certificate 2. choose one "preferred" domain on my server 3. setup multi-domain (SAN) certificates I tried the SAN certificates (after experimenting a lot and getting it right), and this stuff seems to work. I have one big bundle of certificates stored under /etc/letsencrypt/live/sd-41XXX.dedibox.fr (sd-41XXX.dedibox.fr being my server's FQDN), and I have all the certificates for all domains and subdomains of example1.com, example2.com, example1.net and example2.net. So before I go any further with this, I'm asking the more technically proficient admins here. Are there any drawbacks to using this solution? Is it problematic to bundle all my certificates into one big fat SAN certificate? This being said, the machine will host a maximum of two dozen domains, each with a handful of subdomains like mail.example1.com, xmpp.example1.com, etc.) Cheers, Niki Kovacs ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] SAN certificates for multiple domains and multiple services
Hi, I'm currently installing and configuring CentOS 7 on a public server. The machine will host a few small-to-midsize projects that are currently running on a handful of Slackware servers: public library databases, our public school's agenda, a small webradio, OwnCloud for myself and a local non-profit, etc. Until recently I've mostly used self-signed SSL certificates for stuff needing a secure connection. Then, some time ago, I discovered LetsEncrypt and Certbot, which works very well, so I moved secure web hosting to using a free LetsEncrypt certificate. Now I want to take this to the next level and use these free certificates for multiple services. Not only web hosting, but also Postfix/Dovecot for mail and Prosody for XMPP. I had to fiddle a bit for permissions, so everything can access the certificate and key files right. I created a certs group and gave everything under /etc/letsencrypt/live to root:certs. Then, when a system user has to access this stuff, I simply add him to the certs group. Then came a moment when I hit a wall, because Postfix can't handle multiple certificates, only one. Let's say I have these domains on my server: * example1.com * example2.com * example1.net * example2.net When setting up Postfix, I can do one of these things: 1. continue to use a self-signed SSL certificate 2. choose one "preferred" domain on my server 3. setup multi-domain (SAN) certificates I tried the SAN certificates (after experimenting a lot and getting it right), and this stuff seems to work. I have one big bundle of certificates stored under /etc/letsencrypt/live/sd-41XXX.dedibox.fr (sd-41XXX.dedibox.fr being my server's FQDN), and I have all the certificates for all domains and subdomains of example1.com, example2.com, example1.net and example2.net. So before I go any further with this, I'm asking the more technically proficient admins here. Are there any drawbacks to using this solution? Is it problematic to bundle all my certificates into one big fat SAN certificate? This being said, the machine will host a maximum of two dozen domains, each with a handful of subdomains like mail.example1.com, xmpp.example1.com, etc.) Cheers, Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Gordon,
Thank you for your help on this. Still not working...
On 04/26/2017 06:27 PM, Gordon Messmer wrote:
On 04/26/2017 12:29 AM, Robert Moskowitz wrote:
But the policy generates errors. I will have to submit a bug report,
it seems
A bug report would probably be helpful.
I'm looking back at the message you wrote describing errors in
ld-2.17.so. I think what's happening is that the policy on your
system includes a silent rule that somehow breaks your system. You'll
need to turn on debugging (logging the otherwise silent AVCs) to
figure this out, in order to provide information that the maintainers
can use to actually fix the problem.
So, similar to the previous process:
1: semodule -DB
2: setenforce permissive
3: tail -f /var/log/audit/audit.log | grep AVC
4: use the service, exercise each function that's constrained by the
existing policy
5: copy and paste the output from the terminal used for #2 into
"audit2allow -M "
6: setenforce enforcing
7: semodule -B
You'll want to do this with your custom policy installed. In the
terminal that's following audit.log, you should now see AVCs logged
that you didn't before. Please send them to the list.
If you're only interested in resolving your problem, it should be
sufficient to build one new module with the AVCs logged here. If you
want to produce a useful bug report and fix the problem for the
future, for everyone, you need to first get back into enforcing mode
and THEN build a new module with each individual AVC, installing each
one and then testing dovecot, until you resolve the problem, and then
removing all of the other new modules until you confirm that you've
found one (or a minimal combination) of rules that is causing dovecot
to crash and log a backtrace.
Here are the messages I got:
type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh }
for pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.041:49205): avc: denied { siginh } for
pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.041:49205): avc: denied { noatsecure }
for pid=3047 comm="cleanup"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc: denied { rlimitinh }
for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc: denied { siginh } for
pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361695.978:49206): avc: denied { noatsecure }
for pid=3052 comm="lmtp" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc: denied { rlimitinh }
for pid=3056 comm="smtpd"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc: denied { siginh } for
pid=3056 comm="smtpd" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361698.775:49208): avc: denied { noatsecure }
for pid=3056 comm="smtpd"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc: denied { rlimitinh }
for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc: denied { siginh } for
pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.102:49209): avc: denied { noatsecure }
for pid=3057 comm="auth" scontext=system_u:system_r:dovecot_t:s0
tcontext=system_u:system_r:dovecot_auth_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc: denied { rlimitinh }
for pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc: denied { siginh } for
pid=3063 comm="pipe" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:postfix_pipe_t:s0 tclass=process permissive=1
type=AVC msg=audit(1493361699.950:49210): avc: denied { noatsecure }
for pid=3063 comm="pipe"
