0

I am getting this error repeatedly while trying to run Nextcloud on Fedora 32

type=AVC msg=audit(1601229230.944:718): avc:  denied  { connectto } for  pid=584 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

I am using mariadb 10.5 along with PHP 7.4.10 and Nginx 1.18 on Fedora 32 server.

I have tried using the following commands to resolve but nothing seems to work. I am out of ideas. How to resolve this?

setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_network_connect 1
semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
restorecon -Rv /var/lib/mysql
navjotjsingh
  • 126
  • 4

1 Answers1

0

First, you need to undo the damage you inadvertently caused, then second you can fix the original problem.


This command was unnecessary and could prevent resolving the problem. The SELinux policy included with Fedora already contains the correct contexts, and this may override them with incorrect contexts, especially for the socket you are trying to access.

semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"

Reverse its effect with:

semanage fcontext -d -t mysqld_db_t "/var/lib/mysql(/.*)?"

The file /var/lib/mysql/mysql.sock should have the type mysqld_var_run_t. The SELinux policy included with Fedora already has this type, but your socket didn't have this type set correctly. Either it was created while SELinux was disabled, someone created it in a different directory and moved it there, or some process created it without setting the context correctly. For instance, this might happen if MariaDB was started directly from a terminal rather than through its systemd service unit.

Whatever happened, it probably doesn't matter. If you have already fixed your configuration as above, then you can fix its context with restorecon.

restorecon -v /var/lib/mysql/mysql.sock

Allowing your web app to talk to the database is simple enough, and you have already done it:

setsebool -P httpd_can_network_connect_db 1

Possibly optional:

Allowing the web server to make any network connections is most likely much more permissive than you really need to be. You can fix that by reversing the boolean.

setsebool -P httpd_can_network_connect 0
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks. I followed all the steps but I am still getting the same error i.e. `type=AVC msg=audit(1601234109.505:290): avc: denied { connectto } for pid=575 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0` – navjotjsingh Sep 27 '20 at 19:16
  • @navjotjsingh It looks like you didn't run `restorecon` or the command failed. Try it again, and report if there was any error. – Michael Hampton Sep 27 '20 at 19:18
  • I did run the `restorecon` command but the error hasn't changed. Also, I tried running 'ls -alZ /var/lib/mysql` and I get this `srwxrwxrwx. 1 mysql mysql system_u:object_r:mysqld_db_t:s0 0 Sep 27 19:19 mysql.sock` running `restorecon` fixes it temporarily but nextcloud site still remains down. Rebooting the server restores the status of mysql.sock file. – navjotjsingh Sep 27 '20 at 19:25