Re: SELinux blocking Dovecot from mysqld socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/5/19 8:57 AM, Thomas Mueller wrote:

On 2/5/19 2:52 PM, Robert Moskowitz wrote:
Thank you for replying.

On 2/5/19 2:06 AM, Thomas Mueller wrote:

On 2/4/19 8:55 PM, Robert Moskowitz wrote:
I am working with Centos7:

I have configured Dovecot to connect to mysqld via socket:

connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password

I test sending a message with

sendmail -i rgm@xxxxxxxxxxxxxxxxxxxx < README

This fails with the following message in maillog

Feb  4 11:28:48 klovia dovecot: dict(13122): Error: mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry

SELinux denials are logged with auditd:

# show some summary (recent = last 10min)

aureport --avc --start recent

A number of dovecot_t errors.  e.g.

18. 02/05/2019 08:38:44 dict system_u:system_r:dovecot_t:s0 195 file getattr unconfined_u:object_r:mysqld_etc_t:s0 denied 578

But after I setenforce 0, I see:

32. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 195 file getattr unconfined_u:object_r:mysqld_etc_t:s0 denied 593 33. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file read unconfined_u:object_r:mysqld_etc_t:s0 denied 594 34. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file open unconfined_u:object_r:mysqld_etc_t:s0 denied 594 35. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 322 dir read unconfined_u:object_r:mysqld_etc_t:s0 denied 595 36. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 195 file getattr system_u:object_r:mysqld_etc_t:s0 denied 596 37. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file read system_u:object_r:mysqld_etc_t:s0 denied 597 38. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 5 file open system_u:object_r:mysqld_etc_t:s0 denied 597 39. 02/05/2019 08:39:45 dict system_u:system_r:dovecot_t:s0 283 unix_stream_socket connectto system_u:system_r:mysqld_t:s0 denied 598



# if it's the dovecot_t type that spits AVC denials, then you probably could create dummy policy by using the audit2allow tool:

ausearch -m AVC --context dovecot_t | audit2allow --reference -m dovecot_mysql_custom

This throws an error:

could not open interface info [/var/lib/sepolgen/interface_info]

running sepol-ifgen  should fix this

Command not found, and "yum whatprovides sepol-ifgen" comes up empty.  How do I get it?

but I really don't know what state the refpolicy is in with Fedora/Redhat. The reply of Zdenek uses CIL (a new way of writing a policy) - i don't know what the default is now and what is best to be used.

Quite the problem.  It seems that anyone using Dovecot with mysql dodges this issue by turning off SELinux.  I can find lots of blogs telling me to do this.  But I am stubborn and really want to keep SELinux.

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux