After update selinux no access to mariadb from apache cms

robkalmeijer · February 16, 2025, 6:28pm

Rocky linux 9.5

2025-02-05T21:53:45+0100 SUBDEBUG Upgrade: mysql-selinux-1.0.13-1.el9_5.noarch

Coppermine critical error:
Unable to connect to database !

MySQLi said: 2002 : Permission denied

also wordpress, nextcloud, roundcube are not working.

Looks like selinux problem.

Before the update verything worked.

Only prodosy was not working with mariadb.

mariadb -u root -p wokrks normal.

iwalker · February 16, 2025, 6:50pm

setsebool -P httpd_can_network_connect 1

or more restrictive for DB only:

setsebool -P httpd_can_network_connect_db 1

robkalmeijer · February 16, 2025, 7:39pm

Was already set but it is not the problem.

[root@server5 log]# getsebool -a | grep httpd
httpd_anon_write → off
httpd_builtin_scripting → on
httpd_can_check_spam → off
httpd_can_connect_ftp → off
httpd_can_connect_ldap → off
httpd_can_connect_mythtv → off
httpd_can_connect_zabbix → off
httpd_can_manage_courier_spool → off
httpd_can_network_connect → on
httpd_can_network_connect_cobbler → off
httpd_can_network_connect_db → on
httpd_can_network_memcache → off
httpd_can_network_relay → off
httpd_can_sendmail → on
httpd_dbus_avahi → off
httpd_dbus_sssd → off
httpd_dontaudit_search_dirs → off
httpd_enable_cgi → on
httpd_enable_ftp_server → off
httpd_enable_homedirs → off
httpd_execmem → off
httpd_graceful_shutdown → off
httpd_manage_ipa → off
httpd_mod_auth_ntlm_winbind → off
httpd_mod_auth_pam → off
httpd_read_user_content → off
httpd_run_ipa → off
httpd_run_preupgrade → off
httpd_run_stickshift → off
httpd_serve_cobbler_files → off
httpd_setrlimit → off
httpd_ssi_exec → off
httpd_sys_script_anon_write → off
httpd_tmp_exec → off
httpd_tty_comm → off
httpd_unified → off
httpd_use_cifs → off
httpd_use_fusefs → off
httpd_use_gpg → off
httpd_use_nfs → off
httpd_use_opencryptoki → off
httpd_use_openstack → off
httpd_use_sasl → off
httpd_verify_dns → off

[root@server5 log]# getsebool -a | grep mysql
mysql_connect_any → off
mysql_connect_http → off
selinuxuser_mysql_connect_enabled → off

gerry666uk · February 16, 2025, 8:32pm

You can try running as root
rpm -q audit
ausearch -m AVC

iwalker · February 16, 2025, 8:41pm

You can also make sure policycoreutils-python-utils package is installed, and use:

audit2why -a

which will give a load of information as to what the selinux violation is, and also:

audit2allow -a

should also give some suggestions/hints for it as well.

raffraff · February 21, 2025, 11:40am

Check Cockpit in browser, if you need a GUI. https://[servername]:9090/selinux