Wednesday, December 12, 2012

Dovecot -> MySQL SElinux issue on CentOS6

I set up a postfix, dovecot, mysql, postfixadmin combo on SElinux enabled CentOS6, but I was keep getting following error in mail.log:

dovecot: dict: Error: mysql: Connect failed to localhost (mail): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 1 seconds before retry

The problem is that Selinux prevents dovecot connecting to mysql socket. I was unable to find simple solution by setting some setsebol parameter, so I went through the audit.log with audit2allow.

Solution:
Create dovecot2mysql.te file under /etc/selinux:
cat > /etc/selinux/dovecot2mysql.te
module dovecot2mysqldb 1.0.0;

require {
    type dovecot_t;
    type dovecot_deliver_t;
    type var_t;
    type mysqld_db_t;
    type mysqld_t;
    type mysqld_var_run_t;
    type usr_t;
    class file { rename read create write getattr link unlink open };
    class dir search;
    class unix_stream_socket connectto;
    class sock_file write;
    class file { read getattr open };
}


allow dovecot_deliver_t var_t:file { rename read create write getattr link unlink open };
allow dovecot_t mysqld_db_t:dir search;
allow dovecot_t mysqld_t:unix_stream_socket connectto;
allow dovecot_t mysqld_var_run_t:sock_file write;
allow dovecot_t usr_t:file { read getattr open };


cat >/etc/selinux/sel.sh <<EOF
name=\${1%%.*}
echo "\$name"
checkmodule -M -m -o \$name.mod \$name.te \
  && semodule_package -o \$name.pp -m \$name.mod \
  && /usr/sbin/semodule -i \$name.pp
EOF

chmod 700 /etc/selinux/sel.sh
/etc/selinux/sel.sh /etc/selinux/dovecot2mysql.te
Posted by at
Labels: , , , ,

4 comments:

  1. ZsZsFebruary 4, 2013 at 7:04 AM

    I am happy to hear that it helped.
    Thanks for the feedback, I just corrected the typo.

    ReplyDelete
  2. UnknownApril 8, 2016 at 5:18 PM

    Thank you, you saved me hours of work!

    ReplyDelete
  3. MacGeneralOctober 23, 2016 at 11:23 AM

    This comment has been removed by the author.

    ReplyDelete
  4. MacGeneralOctober 23, 2016 at 11:24 AM

    Tank you very much! I had a similar issue with Dovecot silently crashing when trying to calculate the users Quota through a SQL query. (and no denied error in the audit.log)

    First I got the error "Can't read dir of '/etc/my.cnf.d'"; adding:
    type mysqld_etc_t;
    type ...

    allow dovecot_t mysqld_etc_t:file { read getattr open };
    allow dovecot_t mysqld_etc_t:dir { read getattr open };

    to the SELinux module fixed that error, but threw the one you described here. So combining your rules with mine fixed the problem once and for all!

    ReplyDelete

Subscribe to: Post Comments (Atom)