[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Wed Apr 26 05:50:10 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>

On 04/26/2017 07:29 AM, Robert Moskowitz wrote:
> On 04/26/2017 04:22 AM, Gordon Messmer wrote:
>> On 04/25/2017 03:25 PM, Robert Moskowitz wrote:
>>> This made the same content as before that caused problems:
>> I still don't understand, exactly.  Are you seeing *new* problems 
>> after installing a policy?  What are the problems?
>>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your 
>>> system.
>>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
>>> #!!!! This avc can be allowed using the boolean 
>>> 'daemons_enable_cluster_mode'
>>> allow dovecot_t mysqld_t:unix_stream_socket connectto;
>>> What do these 3 comments mean?
>> I'm not sure about the first two.  The context you see is the same I 
>> see on the one system where I run mysqld.  Running restorecon doesn't 
>> change that context.
>> As for the latter, it sounds like you should be able to remove your 
>> custom policy and "setsebool -P daemons_enable_cluster_mode 1" to 
>> allow dovecot to connect to mysql.
> did not work.  it was set off, so I turned it on and tried it out. Got 
> the same errors:
> Apr 26 01:25:45 z9m9z dovecot: dict: Error: 
> mysql(/var/lib/mysql/mysql.sock): Connect failed to database 
> (postfix): Can't connect to local MySQL server through socket 
> '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
> Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: 
> Not connected to database
> You would think that the mysql people would have a boolean to allow 
> specific apps to access the socket.
> And document it.

mysql.org is really NOT helpful.  They say:

If you are running under Linux and Security-Enhanced Linux (SELinux) is 
enabled, make sure you have disabled SELinux protection for the mysqld 

They only policy available is for allowing http to access mysql.