On 04/26/2017 07:29 AM, Robert Moskowitz wrote: > > > On 04/26/2017 04:22 AM, Gordon Messmer wrote: >> On 04/25/2017 03:25 PM, Robert Moskowitz wrote: >>> This made the same content as before that caused problems: >> >> I still don't understand, exactly. Are you seeing *new* problems >> after installing a policy? What are the problems? >> >>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your >>> system. >>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock >>> #!!!! This avc can be allowed using the boolean >>> 'daemons_enable_cluster_mode' >>> allow dovecot_t mysqld_t:unix_stream_socket connectto; >>> >>> What do these 3 comments mean? >> >> I'm not sure about the first two. The context you see is the same I >> see on the one system where I run mysqld. Running restorecon doesn't >> change that context. >> >> As for the latter, it sounds like you should be able to remove your >> custom policy and "setsebool -P daemons_enable_cluster_mode 1" to >> allow dovecot to connect to mysql. > > did not work. it was set off, so I turned it on and tried it out. Got > the same errors: > > Apr 26 01:25:45 z9m9z dovecot: dict: Error: > mysql(/var/lib/mysql/mysql.sock): Connect failed to database > (postfix): Can't connect to local MySQL server through socket > '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry > Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: > Not connected to database > > You would think that the mysql people would have a boolean to allow > specific apps to access the socket. > > And document it. mysql.org is really NOT helpful. They say: If you are running under Linux and Security-Enhanced Linux (SELinux) is enabled, make sure you have disabled SELinux protection for the mysqld process. They only policy available is for allowing http to access mysql.