Re: SELinux blocking Dovecot from mysqld socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/5/19 10:41 AM, Ondrej Mosnacek wrote:
On Tue, Feb 5, 2019 at 2:54 PM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:


On 2/5/19 3:23 AM, Zdenek Pytela wrote:



On Mon, Feb 4, 2019 at 9:03 PM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
I am working with Centos7:

I have configured Dovecot to connect to mysqld via socket:

connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=Postfix_Database_Password

I test sending a message with

sendmail -i rgm@xxxxxxxxxxxxxxxxxxxx < README

This fails with the following message in maillog

Feb  4 11:28:48 klovia dovecot: dict(13122): Error:
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix):
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry

If I setenforce to 0, the connection works.  So it clearly is an SELinux
problem.  I worked on this almost 2 years ago on another system and found:

http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html

But I was hoping that there were better tools now with Centos7.  I
checked for setsebool at:

https://linux.die.net/man/8/mysqld_selinux

and tried:

setsebool -P allow_user_mysql_connect 1

But the mail still does not go unless I setenforce to 0.
Hi,

this boolean allows a different permission - see the manual page:
If you want to allow users to connect to mysql, you must turn on the allow_user_mysql_connect boolean.
Is there someway to get SELinux to allow dovecot (and postfix) to
connect to mysqld?
While dovecot is allowed to connect to postgresql port, there is no similar permission for mysql:

# sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t postgresql_port_t:tcp_socket name_connect;

However, if this permission is the only one missing, you can simply add it with:

# echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > dovecot-mysql.cil
# semodule -i dovecot-mysql.cil
# sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t mysqld_port_t:tcp_socket name_connect;
allow dovecot_t postgresql_port_t:tcp_socket name_connect;


Still getting the error.  This does not seem to be what is needed.  Isn't this to open TCP access where I am using the unix socket interface?
Indeed, what Zdenek advised is for allowing to connect via TCP. Could
you try the following instead?

dnf install selinux-policy-devel

Nit this is CentOS7, so yum.  In fact it is CentOS7-armhfp...

cat >dovecot_mysql.te <<EOF
policy_module(dovecot_mysql,1.0.0)
gen_require(`
        type dovecot_t;
')
mysql_read_config(dovecot_t)
mysql_stream_connect(dovecot_t)
EOF

For some reason this made an empty file.  Don't know if it was the lack of spaces on that first line?  I use this myself a lot, but always put spaces around the > and <<

So I just used vi this time.  :)

make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp

semodule -i dovecot_mysql.pp

And the sendmail test went through with enforcing.

thanks!
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux