[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Sun Apr 30 05:49:21 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>

On 04/28/2017 06:36 PM, Gordon Messmer wrote:
> On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>> Here are the messages I got:
>> type=AVC msg=audit(1493361695.041:49205): avc:  denied  { rlimitinh } 
>> for  pid=3047 comm="cleanup" 
>> scontext=system_u:system_r:postfix_master_t:s0 
>> tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process 
>> permissive=1
> My advice would be to slow down, and solve one problem at a time.

I failed to look at the content of these messages and see that there was 
also a problem with postfix accessing mysql.  I was not getting any 
errors about this in maillog.

> We were talking about testing dovecot, and now you're testing postfix.

I would have to think a bit about how to test dovecot accessing mysql 
without it processing an email handed off to it by postfix.

>   I know you need them both to work, but these are separate services, 
> with their own individual policies.  If you're going to submit a bug 
> report, you need to be able to specifically describe the problem and 
> the solution.  You're not going to do that by mixing different 
> services together.

Nope.  But I see now there is a broader problem.

>> sendmail -i testit3 at test.htt-consult.com < 
>> /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>> It failed accessing mysql with the following maillog messages:
> Yes, but the policy you added earlier only granted MySQL access to 
> dovecot.  For postfix, you'll want to check for booleans first and 
> then create a policy (without debugging AVCs) if no boolean exists, 
> and then look at debugging AVCs if there are still issues (which is 
> *almost* never the case).

So now I do some googling about postfix/mysql and SELinux.  Probably a 
better discussed combination.

>> When I get home Monday, I am going to rebuild the server.
> That would be good.  Keep a log of *all* of the changes you make to 
> the system, from the very beginning.  Once you resolve the problem, 
> rebuild the server again and follow your log.