SELinux Permissions Error on Fedora 32

navjotjsingh asked:

I am getting this error repeatedly while trying to run Nextcloud on Fedora 32

type=AVC msg=audit(1601229230.944:718): avc:  denied  { connectto } for  pid=584 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

I am using mariadb 10.5 along with PHP 7.4.10 and Nginx 1.18 on Fedora 32 server.

I have tried using the following commands to resolve but nothing seems to work. I am out of ideas. How to resolve this?

setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_network_connect 1
semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
restorecon -Rv /var/lib/mysql

My answer:

First, you need to undo the damage you inadvertently caused, then second you can fix the original problem.

This command was unnecessary and could prevent resolving the problem. The SELinux policy included with Fedora already contains the correct contexts, and this may override them with incorrect contexts, especially for the socket you are trying to access.

semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"

Reverse its effect with:

semanage fcontext -d -t mysqld_db_t "/var/lib/mysql(/.*)?"

The file /var/lib/mysql/mysql.sock should have the type mysqld_var_run_t. The SELinux policy included with Fedora already has this type, but your socket didn’t have this type set correctly. Either it was created while SELinux was disabled, someone created it in a different directory and moved it there, or some process created it without setting the context correctly. For instance, this might happen if MariaDB was started directly from a terminal rather than through its systemd service unit.

Whatever happened, it probably doesn’t matter. If you have already fixed your configuration as above, then you can fix its context with restorecon.

restorecon -v /var/lib/mysql/mysql.sock

Allowing your web app to talk to the database is simple enough, and you have already done it:

setsebool -P httpd_can_network_connect_db 1

Possibly optional:

Allowing the web server to make any network connections is most likely much more permissive than you really need to be. You can fix that by reversing the boolean.

setsebool -P httpd_can_network_connect 0

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.