Bug 1368642 - When connecting the mail system to mariadb via socked, new rules are needed. [NEEDINFO]
Summary: When connecting the mail system to mariadb via socked, new rules are needed.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-20 09:48 UTC by Frank Büttner
Modified: 2018-10-30 10:00 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-197.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-30 09:59:15 UTC
Target Upstream Version:
mmalik: needinfo? (fsumsal)
mmalik: needinfo? (kvolny)
mmalik: needinfo? (adzilsky)

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:00:02 UTC

Description Frank Büttner 2016-08-20 09:48:06 UTC
Description of problem:
When using socked connection for the mail system (posfix,dovecot) to connect to an local maria database, then an additional role set are needed.

Version-Release number of selected component (if applicable):

How reproducible:
every every time 

Steps to Reproduce:
1. configure both to connect to the database via sockets.

Actual results:
Many denied messages form selinux.

Expected results:
Working connection.

Additional info:
audit2allow gives:
require {
        type init_t;
        type usr_t;
        type dovecot_auth_t;
        type httpd_t;
        type postfix_cleanup_t;
        type shadow_t;
        type logrotate_t;
        type mysqld_db_t;
        type hugetlbfs_t;
        type postfix_master_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class file { write read };

#============= dovecot_auth_t ==============
allow dovecot_auth_t init_t:unix_stream_socket connectto;
allow dovecot_auth_t mysqld_db_t:sock_file write;
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t mysqld_db_t:sock_file write;
#============= postfix_master_t ==============
allow postfix_master_t init_t:unix_stream_socket connectto;
allow postfix_master_t mysqld_db_t:sock_file write;

Comment 1 Frank Büttner 2016-08-20 09:52:04 UTC
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:sock_file write;

are also needed.

Comment 3 Miroslav Grepl 2016-08-22 09:38:03 UTC
So it works with this local policy, correct?

Thank you.

Comment 4 Frank Büttner 2016-08-22 14:43:40 UTC

Comment 9 Milos Malik 2018-02-05 17:30:45 UTC
# rpm -qa selinux\*
# sesearch -s dovecot_auth_t -t init_t -c unix_stream_socket -p connectto -A -C -D

# sesearch -s postfix_master_t -t init_t -c unix_stream_socket -p connectto -A -C -D


Unfortunately, SELinux denials in raw form are not attached. It's difficult to tell which process was running as init_t. If it was systemd then the policy is missing 2 allow rules.

Comment 10 Lukas Vrabec 2018-02-06 09:51:02 UTC

Are you able to test if mail system can communicate with mariadb via sockets? If yes, let's close this and create new BZ with denials related to init_t. 


Comment 21 errata-xmlrpc 2018-10-30 09:59:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.