[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql
Robert Moskowitz
rgm at htt-consult.com
Sun Apr 30 05:49:21 UTC 2017
On 04/28/2017 06:36 PM, Gordon Messmer wrote:
> On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>>
>> Here are the messages I got:
>>
>> type=AVC msg=audit(1493361695.041:49205): avc: denied { rlimitinh }
>> for pid=3047 comm="cleanup"
>> scontext=system_u:system_r:postfix_master_t:s0
>> tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process
>> permissive=1
>
>
> My advice would be to slow down, and solve one problem at a time.
I failed to look at the content of these messages and see that there was
also a problem with postfix accessing mysql. I was not getting any
errors about this in maillog.
> We were talking about testing dovecot, and now you're testing postfix.
I would have to think a bit about how to test dovecot accessing mysql
without it processing an email handed off to it by postfix.
> I know you need them both to work, but these are separate services,
> with their own individual policies. If you're going to submit a bug
> report, you need to be able to specifically describe the problem and
> the solution. You're not going to do that by mixing different
> services together.
Nope. But I see now there is a broader problem.
>
>> sendmail -i testit3 at test.htt-consult.com <
>> /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>>
>> It failed accessing mysql with the following maillog messages:
>
> Yes, but the policy you added earlier only granted MySQL access to
> dovecot. For postfix, you'll want to check for booleans first and
> then create a policy (without debugging AVCs) if no boolean exists,
> and then look at debugging AVCs if there are still issues (which is
> *almost* never the case).
So now I do some googling about postfix/mysql and SELinux. Probably a
better discussed combination.
>
>>
>> When I get home Monday, I am going to rebuild the server.
>
> That would be good. Keep a log of *all* of the changes you make to
> the system, from the very beginning. Once you resolve the problem,
> rebuild the server again and follow your log.
More information about the CentOS
mailing list