On Tue, Feb 5, 2019 at 2:54 PM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > > > > On 2/5/19 3:23 AM, Zdenek Pytela wrote: > > > > On Mon, Feb 4, 2019 at 9:03 PM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: >> >> I am working with Centos7: >> >> I have configured Dovecot to connect to mysqld via socket: >> >> connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix >> password=Postfix_Database_Password >> >> I test sending a message with >> >> sendmail -i rgm@xxxxxxxxxxxxxxxxxxxx < README >> >> This fails with the following message in maillog >> >> Feb 4 11:28:48 klovia dovecot: dict(13122): Error: >> mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix): >> Can't connect to local MySQL server through socket >> '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry >> >> If I setenforce to 0, the connection works. So it clearly is an SELinux >> problem. I worked on this almost 2 years ago on another system and found: >> >> http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html >> >> But I was hoping that there were better tools now with Centos7. I >> checked for setsebool at: >> >> https://linux.die.net/man/8/mysqld_selinux >> >> and tried: >> >> setsebool -P allow_user_mysql_connect 1 >> >> But the mail still does not go unless I setenforce to 0. > > Hi, > > this boolean allows a different permission - see the manual page: > >> If you want to allow users to connect to mysql, you must turn on the allow_user_mysql_connect boolean. > >> >> Is there someway to get SELinux to allow dovecot (and postfix) to >> connect to mysqld? > > While dovecot is allowed to connect to postgresql port, there is no similar permission for mysql: > > # sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql > allow dovecot_t postgresql_port_t:tcp_socket name_connect; > > However, if this permission is the only one missing, you can simply add it with: > > # echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > dovecot-mysql.cil > # semodule -i dovecot-mysql.cil > # sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql > allow dovecot_t mysqld_port_t:tcp_socket name_connect; > allow dovecot_t postgresql_port_t:tcp_socket name_connect; > > > Still getting the error. This does not seem to be what is needed. Isn't this to open TCP access where I am using the unix socket interface? Indeed, what Zdenek advised is for allowing to connect via TCP. Could you try the following instead? dnf install selinux-policy-devel cat >dovecot_mysql.te <<EOF policy_module(dovecot_mysql,1.0.0) gen_require(` type dovecot_t; ') mysql_read_config(dovecot_t) mysql_stream_connect(dovecot_t) EOF make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp semodule -i dovecot_mysql.pp -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
