CentOS - Apr 2017 - NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

I have been getting the following on my new mailserver:

Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
failed to database (postfix): Can't connect to local MySQL server 
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds
before retry

They go away when I setenforce 0.

So I googled dovecot mysql selinux and the only worthwhile hit was:

http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html

that provides a /etc/selinux/dovecot2mysql.te

Is there a simpler way like a setsbool option?

With all the howtos on dovecot with mysql, it is interesting that none 
of them seem to have this problem.  Maybe because they connect to mysql 
through TCP port 3306 which has ITS set of problems (like MariaDB 
defaults to not listening on TCP).

thanks!

I reread my dovecot sql.conf.ext files and realized they were actually 
connecting to localhost.  So I did some googling, and found how to 
connect to the socket:

connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix 
password=Postfix_Database_Password

And all fixed.  No more failures.  Plus probably securer.

On 04/07/2017 10:37 AM, Robert Moskowitz wrote:
> I have been getting the following on my new mailserver:
>
> Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
> failed to database (postfix): Can't connect to local MySQL server 
> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 
> seconds before retry
>
> They go away when I setenforce 0.
>
> So I googled dovecot mysql selinux and the only worthwhile hit was:
>
>
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html
>
>
> that provides a /etc/selinux/dovecot2mysql.te
>
> Is there a simpler way like a setsbool option?
>
> With all the howtos on dovecot with mysql, it is interesting that none 
> of them seem to have this problem.  Maybe because they connect to 
> mysql through TCP port 3306 which has ITS set of problems (like 
> MariaDB defaults to not listening on TCP).
>
> thanks!
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

I thought I had this fixed, but I do not.  I was away from this problem 
working on other matters, and came back (after a reboot) and it is still 
there, so I suspect when I thought I had it 'fixed' I was running with 
setenforce 0 from another problem (that is fixed).

So anyone know how to get dovecot dict connecting to mysql when 
enforcing?  Googling is not finding any real help.

On 04/07/2017 04:37 PM, Robert Moskowitz wrote:
> I have been getting the following on my new mailserver:
>
> Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect 
> failed to database (postfix): Can't connect to local MySQL server 
> through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 
> seconds before retry
>
> They go away when I setenforce 0.
>
> So I googled dovecot mysql selinux and the only worthwhile hit was:
>
>
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html
>
>
> that provides a /etc/selinux/dovecot2mysql.te
>
> Is there a simpler way like a setsbool option?
>
> With all the howtos on dovecot with mysql, it is interesting that none 
> of them seem to have this problem.  Maybe because they connect to 
> mysql through TCP port 3306 which has ITS set of problems (like 
> MariaDB defaults to not listening on TCP).
>
> thanks!
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

Le mardi 25 avril 2017 ? 10:04 +0200, Robert Moskowitz a ?crit
:
> I thought I had this fixed, but I do not.  I was away from this problem 
> working on other matters, and came back (after a reboot) and it is still 
> there, so I suspect when I thought I had it 'fixed' I was running
with
> setenforce 0 from another problem (that is fixed).
> 
> So anyone know how to get dovecot dict connecting to mysql when 
> enforcing?  Googling is not finding any real help.
Hi,

I?ve got some ? tweaking ? here (using postgresql, obviously) so that
dovecot runs properly with SELinux enabled,

HTH,
Laurent.

module mydovecot 1.0;

require {
        type dovecot_auth_t;
        type postgresql_port_t;
        type dovecot_t;
        type var_t;
        type postfix_virtual_tmp_t;
        class tcp_socket name_connect;
        class file { rename read lock create write getattr link unlink
open append };
        class dir { read write create add_name remove_name };
}

#============= dovecot_auth_t =============
#!!!! This avc is allowed in the current policy
allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect;

#============= dovecot_t =============
#!!!! This avc is allowed in the current policy
allow dovecot_t postfix_virtual_tmp_t:file { rename write unlink open
link };
allow dovecot_t var_t:dir create;

#!!!! This avc is allowed in the current policy
allow dovecot_t var_t:dir { read write add_name remove_name };

#!!!! This avc is allowed in the current policy
allow dovecot_t var_t:file { rename read lock create write getattr link
unlink open append };

-- 
Laurent Wandrebeck <l.wandrebeck at quelquesmots.fr>