Topic: php82-php-mysqlnd and SELinux

Hi forum,
under CentOS7 my app using PHP 7.4 will work fine.
But under Rocky9 using PHP 8.2 the database connection fails.

It looks like SELinux will block the connection:
==> /var/log/audit/audit.log <==                                                                                                                                                                                   
type=AVC msg=audit(1675070878.877:25226): avc:  denied  { connectto } for  pid=804260 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_s
ervice_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                 
type=SYSCALL msg=audit(1675070878.877:25226): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7ffeeea1b190 a2=1b a3=55c6c8884b00 items=0 ppid=788377 pid=804260 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/remi/php82/root/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="ap
ache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"

audit2why say that an rule is missing:
type=AVC msg=audit(1675071410.210:25295): avc:  denied  { connectto } for  pid=788378 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

        Was caused by:
                Missing type enforcement (TE) allow rule

The app is calling  MariaDB via the local socket.

Re: php82-php-mysqlnd and SELinux

Try to set the various selinux boolean, especially httpd_can_network_connect_db

# getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> on
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_manage_courier_spool --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> on
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> off
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_opencryptoki --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: php82-php-mysqlnd and SELinux

It will not help.
I think like the name speaks, it will only affect real network connections using IP and so on.
But in the meantime I found some hints, that it will only affect the combination with some versions of MariaDB under the RHEL-9 clones.
https://almalinux.discourse.group/t/sel … ction/1626
So for me the real cause is unclear.

Re: php82-php-mysqlnd and SELinux

How do you install MariaDB ? which version ?
According to above link this issue seems related to non official packages...

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: php82-php-mysqlnd and SELinux

It looks like an packaging bug of MariaDB itself.
The mariadb process itself will run in the wrong context.
https://jira.mariadb.org/browse/MDEV-30520

Re: php82-php-mysqlnd and SELinux

OK, so not an issue with my packages

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi