Re: NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

[Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>]

On 04/25/2017 06:45 PM, Gordon Messmer wrote:
> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:
> > Quick’n’(really) dirty SELinux howto:
>
>
> Alternate process:
>
> 1: setenforce permissive
> 2: tail -f /var/log/audit/audit.log | grep AVC
> 3: use the service, exercise each function that's constrained by the 
> existing policy
> 4: copy and paste the output from the terminal used for #2 into 
> "audit2allow -M <modulename>"
> 5: setenforce enforcing
>
> This process is less iterative, which can save a *lot* of time 
> building some policies.

This made the same content as before that caused problems:


module myservice_policy 1.0;

require {
    type dovecot_t;
    type mysqld_etc_t;
    type mysqld_t;
    class unix_stream_socket connectto;
    class file { getattr open read };
    class dir read;
}

#============= dovecot_t ==============
allow dovecot_t mysqld_etc_t:dir read;
allow dovecot_t mysqld_etc_t:file { getattr open read };

#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
#!!!! This avc can be allowed using the boolean 
'daemons_enable_cluster_mode'
allow dovecot_t mysqld_t:unix_stream_socket connectto;

What do these 3 comments mean?  I don't think I want to restorecon for a 
socket:

# ls -Z /var/lib/mysql
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log.00000001
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log_control
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ibdata1
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile0
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile1
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 performance_schema
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 postfix
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 roundcubemail

What does the 3rd comment mean?

thanks

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos