Rocky linux 9.5
2025-02-05T21:53:45+0100 SUBDEBUG Upgrade: mysql-selinux-1.0.13-1.el9_5.noarch
Coppermine critical error:
Unable to connect to database !
MySQLi said: 2002 : Permission denied
also wordpress, nextcloud, roundcube are not working.
Looks like selinux problem.
Before the update verything worked.
Only prodosy was not working with mariadb.
mariadb -u root -p wokrks normal.
setsebool -P httpd_can_network_connect 1
or more restrictive for DB only:
setsebool -P httpd_can_network_connect_db 1
Was already set but it is not the problem.
[root@server5 log]# getsebool -a | grep httpd
httpd_anon_write → off
httpd_builtin_scripting → on
httpd_can_check_spam → off
httpd_can_connect_ftp → off
httpd_can_connect_ldap → off
httpd_can_connect_mythtv → off
httpd_can_connect_zabbix → off
httpd_can_manage_courier_spool → off
httpd_can_network_connect → on
httpd_can_network_connect_cobbler → off
httpd_can_network_connect_db → on
httpd_can_network_memcache → off
httpd_can_network_relay → off
httpd_can_sendmail → on
httpd_dbus_avahi → off
httpd_dbus_sssd → off
httpd_dontaudit_search_dirs → off
httpd_enable_cgi → on
httpd_enable_ftp_server → off
httpd_enable_homedirs → off
httpd_execmem → off
httpd_graceful_shutdown → off
httpd_manage_ipa → off
httpd_mod_auth_ntlm_winbind → off
httpd_mod_auth_pam → off
httpd_read_user_content → off
httpd_run_ipa → off
httpd_run_preupgrade → off
httpd_run_stickshift → off
httpd_serve_cobbler_files → off
httpd_setrlimit → off
httpd_ssi_exec → off
httpd_sys_script_anon_write → off
httpd_tmp_exec → off
httpd_tty_comm → off
httpd_unified → off
httpd_use_cifs → off
httpd_use_fusefs → off
httpd_use_gpg → off
httpd_use_nfs → off
httpd_use_opencryptoki → off
httpd_use_openstack → off
httpd_use_sasl → off
httpd_verify_dns → off
[root@server5 log]# getsebool -a | grep mysql
mysql_connect_any → off
mysql_connect_http → off
selinuxuser_mysql_connect_enabled → off
You can try running as root
rpm -q audit
ausearch -m AVC
You can also make sure policycoreutils-python-utils package is installed, and use:
audit2why -a
which will give a load of information as to what the selinux violation is, and also:
audit2allow -a
should also give some suggestions/hints for it as well.
Check Cockpit in browser, if you need a GUI. https://[servername]:9090/selinux
Blockquote ```
audit2why -a
type=AVC msg=audit(1740316502.077:26155): avc: denied { connectto } for pid=989 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
> Blockquote ```
audit2allow -a
#============= awstats_t ==============
allow awstats_t node_t:udp_socket node_bind;
#============= httpd_t ==============
allow httpd_t unconfined_service_t:unix_stream_socket connectto;
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t mysqld_etc_t:file open;
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_etc_t:file read;
Have als the same problem with prosody but this is not shown.
Hoe to allow?
Looks like you are trying to connect from php-fpm to local mysql unix socket (not tcp)
Very similar discussion here
https://forums.almalinux.org/t/selinux-php-fpm-httpd-and-mariadb-socket-connection/1626
Check that all your packages are Rocky official as well.
SELinux at enforcing denies and logs actions that policy does not allow.
SELinux at permissive logs but allows actions that policy does not allow.
Since denying one action will prevent followup actions, those are not logged when enforcing.
Hence permissive gives better picture of everything that policy might need.
However, all actions are not logged by default. See man semanage-dontaudit
The audit2why ought to tell all the things that sealert/setroubleshoot tells.
The man audit2allow has an examples of steps to create and load a module policy.
I found the solution. CMS in apache working again.