On 2/5/19 10:41 AM, Ondrej Mosnacek wrote:
On Tue, Feb 5, 2019 at 2:54 PM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
On 2/5/19 3:23 AM, Zdenek Pytela wrote:
On Mon, Feb 4, 2019 at 9:03 PM Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
I am working with Centos7:
I have configured Dovecot to connect to mysqld via socket:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix
password=Postfix_Database_Password
I test sending a message with
sendmail -i rgm@xxxxxxxxxxxxxxxxxxxx < README
This fails with the following message in maillog
Feb 4 11:28:48 klovia dovecot: dict(13122): Error:
mysql(/var/lib/mysql/mysql.sock): Connect failed to database (postfix):
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
If I setenforce to 0, the connection works. So it clearly is an SELinux
problem. I worked on this almost 2 years ago on another system and found:
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html
But I was hoping that there were better tools now with Centos7. I
checked for setsebool at:
https://linux.die.net/man/8/mysqld_selinux
and tried:
setsebool -P allow_user_mysql_connect 1
But the mail still does not go unless I setenforce to 0.
Hi,
this boolean allows a different permission - see the manual page:
If you want to allow users to connect to mysql, you must turn on the allow_user_mysql_connect boolean.
Is there someway to get SELinux to allow dovecot (and postfix) to
connect to mysqld?
While dovecot is allowed to connect to postgresql port, there is no similar permission for mysql:
# sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t postgresql_port_t:tcp_socket name_connect;
However, if this permission is the only one missing, you can simply add it with:
# echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > dovecot-mysql.cil
# semodule -i dovecot-mysql.cil
# sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t mysqld_port_t:tcp_socket name_connect;
allow dovecot_t postgresql_port_t:tcp_socket name_connect;
Still getting the error. This does not seem to be what is needed. Isn't this to open TCP access where I am using the unix socket interface?
Indeed, what Zdenek advised is for allowing to connect via TCP. Could
you try the following instead?
dnf install selinux-policy-devel
Nit this is CentOS7, so yum. In fact it is CentOS7-armhfp...
cat >dovecot_mysql.te <<EOF
policy_module(dovecot_mysql,1.0.0)
gen_require(`
type dovecot_t;
')
mysql_read_config(dovecot_t)
mysql_stream_connect(dovecot_t)
EOF
For some reason this made an empty file. Don't know if it was the lack
of spaces on that first line? I use this myself a lot, but always put
spaces around the > and <<
So I just used vi this time. :)
make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp
semodule -i dovecot_mysql.pp
And the sendmail test went through with enforcing.
thanks!
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
