Really solved - Re: Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Robert Moskowitz rgm at htt-consult.com
Tue Feb 5 22:50:51 EET 2019 

This is an old issue, but I am building a new system and hit this 
problem all over again.

This time, I asked for help from the SELinux list, as googling did not 
find anything new.  What resulted was a policy to allow dovecot to 
connect to mysql.sock:

yum install policycoreutils

cat > dovecot_mysql.te <<  \EOF
policy_module(dovecot_mysql,1.0.0)
gen_require(`
        type dovecot_t;
')
mysql_read_config(dovecot_t)
mysql_stream_connect(dovecot_t)
EOF

make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp
semodule -i dovecot_mysql.pp

IF you are using a TCP connection over 127.0.0.1, then it is simpler:


echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > 
dovecot-mysql.cil
semodule -i dovecot-mysql.cil
sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t mysqld_port_t:tcp_socket name_connect;
allow dovecot_t postgresql_port_t:tcp_socket name_connect;

Enjoy!

On 4/7/17 11:12 AM, Robert Moskowitz wrote:
> I reread my sql.conf.ext files and realized they were actually 
> connecting to localhost.  So I did some googling, and found how to 
> connect to the socket:
>
> connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix 
> password=Postfix_Database_Password
>
> And all fixed.  No more failures.  Plus probably securer.
>
> On 04/07/2017 10:57 AM, Robert Moskowitz wrote:
>> The strange thing is that dovecot auth has no problem connecting to 
>> mysql, but the quota query is what is failing.
>>
>> On 04/07/2017 10:43 AM, Robert Moskowitz wrote:
>>> As I have noted in previous messages, I been getting the following 
>>> on my new mailserver:
>>>
>>> Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): 
>>> Connect failed to database (postfix): Can't connect to local MySQL 
>>> server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 
>>> 25 seconds before retry
>>>
>>> They go away when I setenforce 0.  It is not a timing issue as I 
>>> earlier thought.
>>>
>>> So I googled dovecot mysql selinux and the only worthwhile hit was:
>>>
>>> http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html 
>>>
>>>
>>> that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.
>>>
>>> Is there a simpler way like a setsbool option?
>>>
>>> With all the howtos on dovecot with mysql, it is interesting that 
>>> none of them seem to have this problem.  Maybe because they connect 
>>> to mysql through TCP port 3306 which has ITS set of problems (like 
>>> MariaDB defaults to not listening on TCP).
>>>
>>> thanks!
>>>
>>
>

More information about the dovecot mailing list