SELinux policy to allow Dovecot to connect to Mysql
As I have noted in previous messages, I been getting the following on my new mailserver:
Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
They go away when I setenforce 0. It is not a timing issue as I earlier thought.
So I googled dovecot mysql selinux and the only worthwhile hit was:
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.ht...
that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.
Is there a simpler way like a setsbool option?
With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP).
thanks!
The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing.
On 04/07/2017 10:43 AM, Robert Moskowitz wrote:
As I have noted in previous messages, I been getting the following on my new mailserver:
Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
They go away when I setenforce 0. It is not a timing issue as I earlier thought.
So I googled dovecot mysql selinux and the only worthwhile hit was:
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.ht...
that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.
Is there a simpler way like a setsbool option?
With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP).
thanks!
I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password
And all fixed. No more failures. Plus probably securer.
On 04/07/2017 10:57 AM, Robert Moskowitz wrote:
The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing.
On 04/07/2017 10:43 AM, Robert Moskowitz wrote:
As I have noted in previous messages, I been getting the following on my new mailserver:
Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
They go away when I setenforce 0. It is not a timing issue as I earlier thought.
So I googled dovecot mysql selinux and the only worthwhile hit was:
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.ht...
that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.
Is there a simpler way like a setsbool option?
With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP).
thanks!
This is an old issue, but I am building a new system and hit this problem all over again.
This time, I asked for help from the SELinux list, as googling did not find anything new. What resulted was a policy to allow dovecot to connect to mysql.sock:
yum install policycoreutils
cat > dovecot_mysql.te << \EOF policy_module(dovecot_mysql,1.0.0) gen_require(` type dovecot_t; ') mysql_read_config(dovecot_t) mysql_stream_connect(dovecot_t) EOF
make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp semodule -i dovecot_mysql.pp
IF you are using a TCP connection over 127.0.0.1, then it is simpler:
echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > dovecot-mysql.cil semodule -i dovecot-mysql.cil sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql allow dovecot_t mysqld_port_t:tcp_socket name_connect; allow dovecot_t postgresql_port_t:tcp_socket name_connect;
Enjoy!
On 4/7/17 11:12 AM, Robert Moskowitz wrote:
I reread my sql.conf.ext files and realized they were actually connecting to localhost. So I did some googling, and found how to connect to the socket:
connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix password=Postfix_Database_Password
And all fixed. No more failures. Plus probably securer.
On 04/07/2017 10:57 AM, Robert Moskowitz wrote:
The strange thing is that dovecot auth has no problem connecting to mysql, but the quota query is what is failing.
On 04/07/2017 10:43 AM, Robert Moskowitz wrote:
As I have noted in previous messages, I been getting the following on my new mailserver:
Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry
They go away when I setenforce 0. It is not a timing issue as I earlier thought.
So I googled dovecot mysql selinux and the only worthwhile hit was:
http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.ht...
that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.
Is there a simpler way like a setsbool option?
With all the howtos on dovecot with mysql, it is interesting that none of them seem to have this problem. Maybe because they connect to mysql through TCP port 3306 which has ITS set of problems (like MariaDB defaults to not listening on TCP).
thanks!
participants (1)
-
Robert Moskowitz