Really solved - Re: Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

[Robert Moskowitz via dovecot]

This is an old issue, but I am building a new system and hit this 
problem all over again.

This time, I asked for help from the SELinux list, as googling did not 
find anything new.  What resulted was a policy to allow dovecot to 
connect to mysql.sock:

yum install policycoreutils

cat > dovecot_mysql.te <<  \EOF
policy_module(dovecot_mysql,1.0.0)
gen_require(`
       type dovecot_t;
')
mysql_read_config(dovecot_t)
mysql_stream_connect(dovecot_t)
EOF

make -f /usr/share/selinux/devel/Makefile dovecot_mysql.pp
semodule -i dovecot_mysql.pp

IF you are using a TCP connection over 127.0.0.1, then it is simpler:


echo '(allow dovecot_t mysqld_port_t (tcp_socket (name_connect)))' > 
dovecot-mysql.cil
semodule -i dovecot-mysql.cil
sesearch -A -s dovecot_t -c tcp_socket -p name_connect | grep sql
allow dovecot_t mysqld_port_t:tcp_socket name_connect;
allow dovecot_t postgresql_port_t:tcp_socket name_connect;

Enjoy!

On 4/7/17 11:12 AM, Robert Moskowitz wrote:
I reread my sql.conf.ext files and realized they were actually 
connecting to localhost.  So I did some googling, and found how to 
connect to the socket:

connect = host=/var/lib/mysql/mysql.sock dbname=postfix user=postfix 
password=Postfix_Database_Password

And all fixed.  No more failures.  Plus probably securer.

On 04/07/2017 10:57 AM, Robert Moskowitz wrote:
The strange thing is that dovecot auth has no problem connecting to 
mysql, but the quota query is what is failing.

On 04/07/2017 10:43 AM, Robert Moskowitz wrote:
As I have noted in previous messages, I been getting the following 
on my new mailserver:

Apr  7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): 
Connect failed to database (postfix): Can't connect to local MySQL 
server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 
25 seconds before retry

They go away when I setenforce 0.  It is not a timing issue as I 
earlier thought.

So I googled dovecot mysql selinux and the only worthwhile hit was:

http://zszsit.blogspot.com/2012/12/dovecot-mysql-selinux-issue-on-centos6.html 


that provides a /etc/selinux/dovecot2mysql.te and other selinux stuff.

Is there a simpler way like a setsbool option?

With all the howtos on dovecot with mysql, it is interesting that 
none of them seem to have this problem.  Maybe because they connect 
to mysql through TCP port 3306 which has ITS set of problems (like 
MariaDB defaults to not listening on TCP).

thanks!