[CentOS] NOT Solved - Re: SELinux policy to allow Dovecot to connect to Mysql

Sat Apr 29 21:35:25 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>


On 04/28/2017 08:07 PM, me at tdiehl.org wrote:
> On Fri, 28 Apr 2017, Gordon Messmer wrote:
>
>> On 04/28/2017 12:06 AM, Robert Moskowitz wrote:
>>>
>>>  Here are the messages I got:
>>>
>>>  type=AVC msg=audit(1493361695.041:49205): avc:  denied  { rlimitinh 
>>> } for
>>>  pid=3047 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0
>>>  tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process
>>>  permissive=1
>>
>>
>> My advice would be to slow down, and solve one problem at a time. We 
>> were talking about testing dovecot, and now you're testing postfix.  
>> I know you need them both to work, but these are separate services, 
>> with their own individual policies.  If you're going to submit a bug 
>> report, you need to be able to specifically describe the problem and 
>> the solution.  You're not going to do that by mixing different 
>> services together.
>>
>>>  sendmail -i testit3 at test.htt-consult.com <
>>>  /usr/share/doc/amavisd-new-2.10.1/test-messages/README
>>>
>>>  It failed accessing mysql with the following maillog messages:
>>
>> Yes, but the policy you added earlier only granted MySQL access to 
>> dovecot. For postfix, you'll want to check for booleans first and 
>> then create a policy (without debugging AVCs) if no boolean exists, 
>> and then look at debugging AVCs if there are still issues (which is 
>> *almost* never the case).
>>
>>>
>>>  When I get home Monday, I am going to rebuild the server.
>>
>> That would be good.  Keep a log of *all* of the changes you make to 
>> the system, from the very beginning.  Once you resolve the problem, 
>> rebuild the server again and follow your log.
>
> +1 to what Gordon said. It is the only way you are going to figure it 
> out.
>
> You could use something like Ansible so that you can rebuild the 
> server the
> same way in about 20 minutes. Yes, it takes time to get Ansible or 
> something
> similar to work but once you do, you can build the same thing as many 
> times
> as you need and they are always the same.

I think I have rather good instructions with which I can build the 
server quickly:

http://medon.htt-consult.com/Centos7-mailserver.html

Though I am going to drop mailgraph.  At first, looking at another site 
using it, I was impressed.  But not anymore.  Plus the pages are in 
German, and I really can't do the translation.