Wednesday, December 12, 2012

Dovecot -> MySQL SElinux issue on CentOS6

I set up a postfix, dovecot, mysql, postfixadmin combo on SElinux enabled CentOS6, but I was keep getting following error in mail.log:

dovecot: dict: Error: mysql: Connect failed to localhost (mail): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry

The problem is that Selinux prevents dovecot connecting to mysql socket. I was unable to find simple solution by setting some setsebol parameter, so I went through the audit.log with audit2allow.

Create dovecot2mysql.te file under /etc/selinux:
cat > /etc/selinux/dovecot2mysql.te
module dovecot2mysqldb 1.0.0;

require {
    type dovecot_t;
    type dovecot_deliver_t;
    type var_t;
    type mysqld_db_t;
    type mysqld_t;
    type mysqld_var_run_t;
    type usr_t;
    class file { rename read create write getattr link unlink open };
    class dir search;
    class unix_stream_socket connectto;
    class sock_file write;
    class file { read getattr open };

allow dovecot_deliver_t var_t:file { rename read create write getattr link unlink open };
allow dovecot_t mysqld_db_t:dir search;
allow dovecot_t mysqld_t:unix_stream_socket connectto;
allow dovecot_t mysqld_var_run_t:sock_file write;
allow dovecot_t usr_t:file { read getattr open };

cat >/etc/selinux/ <<EOF
echo "\$name"
checkmodule -M -m -o \$name.mod \$name.te \
  && semodule_package -o \$name.pp -m \$name.mod \
  && /usr/sbin/semodule -i \$name.pp

chmod 700 /etc/selinux/
/etc/selinux/ /etc/selinux/dovecot2mysql.te


  1. Just want to say thank you for this post. This fixed the issues I was having.

    One thing, need to add a ';' at the end of line 20.

    1. I am happy to hear that it helped.
      Thanks for the feedback, I just corrected the typo.

  2. Thank you, you saved me hours of work!

  3. This comment has been removed by the author.

  4. Tank you very much! I had a similar issue with Dovecot silently crashing when trying to calculate the users Quota through a SQL query. (and no denied error in the audit.log)

    First I got the error "Can't read dir of '/etc/my.cnf.d'"; adding:
    type mysqld_etc_t;
    type ...

    allow dovecot_t mysqld_etc_t:file { read getattr open };
    allow dovecot_t mysqld_etc_t:dir { read getattr open };

    to the SELinux module fixed that error, but threw the one you described here. So combining your rules with mine fixed the problem once and for all!