Bug 1368642

Summary: When connecting the mail system to mariadb via socked, new rules are needed.
Product: Red Hat Enterprise Linux 7 Reporter: Frank Büttner <bugzilla>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: adzilsky, bugzilla, fsumsal, kvolny, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-197.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 09:59:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Büttner 2016-08-20 09:48:06 UTC 
Description of problem:
When using socked connection for the mail system (posfix,dovecot) to connect to an local maria database, then an additional role set are needed.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch

How reproducible:
every every time 

Steps to Reproduce:
1. configure both to connect to the database via sockets.

Actual results:
Many denied messages form selinux.

Expected results:
Working connection.


Additional info:
audit2allow gives:
require {
        type init_t;
        type usr_t;
        type dovecot_auth_t;
        type httpd_t;
        type postfix_cleanup_t;
        type shadow_t;
        type logrotate_t;
        type mysqld_db_t;
        type hugetlbfs_t;
        type postfix_master_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { write read };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t init_t:unix_stream_socket connectto;
allow dovecot_auth_t mysqld_db_t:sock_file write;
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t mysqld_db_t:sock_file write;
#============= postfix_master_t ==============
allow postfix_master_t init_t:unix_stream_socket connectto;
allow postfix_master_t mysqld_db_t:sock_file write;
Comment 1 Frank Büttner 2016-08-20 09:52:04 UTC 
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:sock_file write;

are also needed.
Comment 3 Miroslav Grepl 2016-08-22 09:38:03 UTC 
So it works with this local policy, correct?

Thank you.
Comment 4 Frank Büttner 2016-08-22 14:43:40 UTC 
Yes.
Comment 9 Milos Malik 2018-02-05 17:30:45 UTC 
# rpm -qa selinux\*
selinux-policy-devel-3.13.1-186.el7.noarch
selinux-policy-targeted-3.13.1-186.el7.noarch
selinux-policy-3.13.1-186.el7.noarch
# sesearch -s dovecot_auth_t -t init_t -c unix_stream_socket -p connectto -A -C -D

# sesearch -s postfix_master_t -t init_t -c unix_stream_socket -p connectto -A -C -D

#

Unfortunately, SELinux denials in raw form are not attached. It's difficult to tell which process was running as init_t. If it was systemd then the policy is missing 2 allow rules.
Comment 10 Lukas Vrabec 2018-02-06 09:51:02 UTC 
Milos, 

Are you able to test if mail system can communicate with mariadb via sockets? If yes, let's close this and create new BZ with denials related to init_t. 

Thanks,
Lukas.
Comment 21 errata-xmlrpc 2018-10-30 09:59:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111