[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Wed Apr 26 06:32:48 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>


On 04/26/2017 08:21 AM, Rob Kampen wrote:
> On 26/04/17 17:29, Robert Moskowitz wrote:
>>
>>
>> On 04/26/2017 04:22 AM, Gordon Messmer wrote:
>>> On 04/25/2017 03:25 PM, Robert Moskowitz wrote:
>>>> This made the same content as before that caused problems:
>>>
>>> I still don't understand, exactly.  Are you seeing *new* problems 
>>> after installing a policy?  What are the problems?
>>>
>>>> #!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your 
>>>> system.
>>>> #!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
>>>> #!!!! This avc can be allowed using the boolean 
>>>> 'daemons_enable_cluster_mode'
>>>> allow dovecot_t mysqld_t:unix_stream_socket connectto;
>>>>
>>>> What do these 3 comments mean?
>>>
>>> I'm not sure about the first two.  The context you see is the same I 
>>> see on the one system where I run mysqld.  Running restorecon 
>>> doesn't change that context.
>>>
>>> As for the latter, it sounds like you should be able to remove your 
>>> custom policy and "setsebool -P daemons_enable_cluster_mode 1" to 
>>> allow dovecot to connect to mysql.
>>
>> did not work.  it was set off, so I turned it on and tried it out. 
>> Got the same errors:
>>
>> Apr 26 01:25:45 z9m9z dovecot: dict: Error: 
>> mysql(/var/lib/mysql/mysql.sock): Connect failed to database 
>> (postfix): Can't connect to local MySQL server through socket 
>> '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry
>> Apr 26 01:25:45 z9m9z dovecot: dict: Error: dict sql lookup failed: 
>> Not connected to database
>>
> how have you specified your mysql server host? as localhost, 127.0.0.1 
> or as the hosts IP address? In my experience it needs to be localhost 
> or 127.0.0.1 and these are also defined in /etc/hosts
> hth

I am specifically using socket connection.  I have tried 127.0.0.1 and 
had problems with that too.  But different.

>> You would think that the mysql people would have a boolean to allow 
>> specific apps to access the socket.
>>
>> And document it.
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>