SELinux is preventing /usr/sbin/php-fpm from connectto access

mh_le · May 30, 2025, 6:42am

I am trying to set up Nextcloud, but I am having issues with SELinux, I get the following error in journalctl:

SELinux is preventing /usr/sbin/php-fpm from connectto access on the unix_stream_socket /var/lib/mysql/mysql.sock.

How can I resolve this?

I am using MariaDB 11.4.7 from MariaDB and Rocky 9.5

Any help would be greatly appreciated.

jlehtone · May 30, 2025, 7:30am

That is what journalctl says. How does audit2why formulate it?
The audit2allow can create custom policy (SELinux rules).

mh_le · May 30, 2025, 8:34am

Hi, and thank you for your reply!
The output of audit2why is

type=AVC msg=audit(1748594013.719:3750): avc:  denied  { connectto } for  pid=5750 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

jlehtone · May 30, 2025, 8:54am

The journalctl got a more humane message from someone. Interesting.
Anyway, the output of audit2allow (without “create module” option) will be text too, rules.

mh_le · May 30, 2025, 8:59am

Got the following output:

# ausearch -c 'php-fpm' --raw | audit2allow my-phpfpm


#============= httpd_t ==============
allow httpd_t httpd_sys_script_exec_t:dir write;
allow httpd_t httpd_sys_script_exec_t:file { append write };
allow httpd_t unconfined_service_t:unix_stream_socket connectto;
allow httpd_t var_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow httpd_t var_t:file map;

jlehtone · May 30, 2025, 9:12am

See man audit2allow for examples of making a module policy.

You don’t need to include the allow httpd_t var_t:file map; as it is already set.