On 2/5/19 8:57 AM, Thomas Mueller wrote:
On 2/5/19 2:52 PM, Robert Moskowitz wrote:
Thank you for replying.
On 2/5/19 2:06 AM, Thomas Mueller wrote:
On 2/4/19 8:55 PM, Robert Moskowitz wrote:
I am working with Centos7:
I have configured Dovecot to connect to mysqld via socket:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix
user=postfix password=Postfix_Database_Password
I test sending a message with
sendmail -i rgm@xxxxxxxxxxxxxxxxxxxx < README
This fails with the following message in maillog
Feb 4 11:28:48 klovia dovecot: dict(13122): Error:
mysql(/var/lib/mysql/mysql.sock): Connect failed to database
(postfix): Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
SELinux denials are logged with auditd:
# show some summary (recent = last 10min)
aureport --avc --start recent
A number of dovecot_t errors. e.g.
18. 02/05/2019 08:38:44 dict system_u:system_r:dovecot_t:s0 195 file
getattr unconfined_u:object_r:mysqld_etc_t:s0 denied 578
But after I setenforce 0, I see:
32. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 195 file
getattr unconfined_u:object_r:mysqld_etc_t:s0 denied 593
33. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file
read unconfined_u:object_r:mysqld_etc_t:s0 denied 594
34. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file
open unconfined_u:object_r:mysqld_etc_t:s0 denied 594
35. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 322 dir
read unconfined_u:object_r:mysqld_etc_t:s0 denied 595
36. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 195 file
getattr system_u:object_r:mysqld_etc_t:s0 denied 596
37. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file
read system_u:object_r:mysqld_etc_t:s0 denied 597
38. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file
open system_u:object_r:mysqld_etc_t:s0 denied 597
39. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 283
unix_stream_socket connectto system_u:system_r:mysqld_t:s0 denied 598
# if it's the dovecot_t type that spits AVC denials, then you
probably could create dummy policy by using the audit2allow tool:
ausearch -m AVC --context dovecot_t | audit2allow --reference -m
dovecot_mysql_custom
This throws an error:
could not open interface info [/var/lib/sepolgen/interface_info]
running sepol-ifgen should fix this
Command not found, and "yum whatprovides sepol-ifgen" comes up empty.
How do I get it?
but I really don't know what state the refpolicy is in with
Fedora/Redhat. The reply of Zdenek uses CIL (a new way of writing a
policy) - i don't know what the default is now and what is best to be
used.
Quite the problem. It seems that anyone using Dovecot with mysql dodges
this issue by turning off SELinux. I can find lots of blogs telling me
to do this. But I am stubborn and really want to keep SELinux.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
