Bug 1368642 - When connecting the mail system to mariadb via socked, new rules are needed.
Summary: When connecting the mail system to mariadb via socked, new rules are needed.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-20 09:48 UTC by Frank Büttner
Modified: 2021-11-08 14:30 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-197.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:59:15 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:00:02 UTC

Description Frank Büttner 2016-08-20 09:48:06 UTC 
Description of problem:
When using socked connection for the mail system (posfix,dovecot) to connect to an local maria database, then an additional role set are needed.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-60.el7_2.7.noarch

How reproducible:
every every time 

Steps to Reproduce:
1. configure both to connect to the database via sockets.

Actual results:
Many denied messages form selinux.

Expected results:
Working connection.


Additional info:
audit2allow gives:
require {
        type init_t;
        type usr_t;
        type dovecot_auth_t;
        type httpd_t;
        type postfix_cleanup_t;
        type shadow_t;
        type logrotate_t;
        type mysqld_db_t;
        type hugetlbfs_t;
        type postfix_master_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { write read };
}

#============= dovecot_auth_t ==============
allow dovecot_auth_t init_t:unix_stream_socket connectto;
allow dovecot_auth_t mysqld_db_t:sock_file write;
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t mysqld_db_t:sock_file write;
#============= postfix_master_t ==============
allow postfix_master_t init_t:unix_stream_socket connectto;
allow postfix_master_t mysqld_db_t:sock_file write;
Comment 1 Frank Büttner 2016-08-20 09:52:04 UTC 
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:sock_file write;

are also needed.
Comment 3 Miroslav Grepl 2016-08-22 09:38:03 UTC 
So it works with this local policy, correct?

Thank you.
Comment 4 Frank Büttner 2016-08-22 14:43:40 UTC 
Yes.
Comment 9 Milos Malik 2018-02-05 17:30:45 UTC 
# rpm -qa selinux\*
selinux-policy-devel-3.13.1-186.el7.noarch
selinux-policy-targeted-3.13.1-186.el7.noarch
selinux-policy-3.13.1-186.el7.noarch
# sesearch -s dovecot_auth_t -t init_t -c unix_stream_socket -p connectto -A -C -D

# sesearch -s postfix_master_t -t init_t -c unix_stream_socket -p connectto -A -C -D

#

Unfortunately, SELinux denials in raw form are not attached. It's difficult to tell which process was running as init_t. If it was systemd then the policy is missing 2 allow rules.
Comment 10 Lukas Vrabec 2018-02-06 09:51:02 UTC 
Milos, 

Are you able to test if mail system can communicate with mariadb via sockets? If yes, let's close this and create new BZ with denials related to init_t. 

Thanks,
Lukas.
Comment 21 errata-xmlrpc 2018-10-30 09:59:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.