LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   ERROR: mysqli_connect(): (HY000/2002): Permission denied (https://www.linuxquestions.org/questions/linux-newbie-8/error-mysqli_connect-hy000-2002-permission-denied-4175588599/)

kwatts59 09-02-2016 06:12 PM
ERROR: mysqli_connect(): (HY000/2002): Permission denied
 
Hi everyone,

I am trying to connect to an MySQL database from PHP and I get the following error in the /var/log/httpd/error_log.

Code:
[Fri Sep 02 11:47:10.961123 2016] [:error] [pid 22023] [client 10.81.227.214:55722] PHP Warning:  mysqli_connect(): (HY000/2002): Permission denied in /var/www/html/shenlab/software/TSD/Connections/connGS.php on line 9, referer: http://shenlab.sols.unlv.edu/shenlab/software/TSD/transcript_display.html
The connGS.php code is as follows (Note: I am not posting the actual password for security reasons):

Code:
<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostnameGS = "localhost";
$databaseGS = "gene_structure";
$usernameGS = "kwatanabe";
$passwordGS = "password";
$connGS = mysqli_connect($hostnameGS, $usernameGS, $passwordGS,$databaseGS) or trigger_error(mysql_error(),E_USER_ERROR);
?>
When I turn SELINUX off (i.e. setenforce 0), the error goes away and the program runs perfectly. Unfortunately this is NOT an option.

I have tried setting the sebooleans as follows:

setsebool httpd_can_network_connect on
setsebool httpd_can_network_connect_db on
setsebool mysql_connect_any on
setsebool mysql_connect_httpd on

and I still get the error.

I also tried

restorecon -R /var/www/html/shenlab

and I still get the error.


I have been googling for a solution for hours and all I could find was this
http://stackoverflow.com/questions/5...mission-denied

And the solution that was provided was
"you have to set up SELINUX correctly".

Well how the F... do you set up SELINUX correctly????

Any help would be greatly appreciated.
Ken

HMW 09-03-2016 02:05 AM
Hi!

First of all, let it be known that I am far from an expert on SELinux, so I might be talking from my behind.

But, this looks very odd for a boolean:
Quote:
Originally Posted by kwatts59 (Post 5599976)
setsebool can_network_connect on
I have yet to encounter a bool with that switch (e.g. 'on' 'off'), a quick search for selinux setsebool syntax shows that the common usages are either:
true, false
or
1,0

Again, maybe this is 'on, off' thing is unique for SELinux, it just looks odd to me.

Best regards,
HMW

kwatts59 09-04-2016 01:16 AM
Oops, I made a mistake in my original post.
The SE Booleans are:
httpd_can_network_connect
httpd_can_network_connect_db
Sorry for the mistake. I corrected the original post.

I used the following command to determine the state of the boolean
Code:
getsebool -a | grep httpd_can_network
I also tested the setsebool with the on/off, true/false and 1/0 switches and all appear to work.
Ken

HMW 09-04-2016 01:24 AM
Quote:
Originally Posted by kwatts59 (Post 5600445)
I also tested the setsebool with the on/off, true/false and 1/0 switches and all appear to work.
Ken
Ok, good to know. I learnt something new. Unfortunately I cannot help you with this. Hopefully someone else can!

Best regards,
HMW

keefaz 09-04-2016 08:18 AM
Code:
# If you want to allow users to connect to mysql, you must turn on the allow_user_mysql_connect boolean.
setsebool -P allow_user_mysql_connect 1
http://linux.die.net/man/8/mysqld_selinux

unSpawn 09-04-2016 08:33 AM
*Additionally note running 'grep mysql /var/log/audit.log /var/log/messages|audit2allow;' will explain and should also point to booleans like "allow_user_mysql_connect".

kwatts59 09-04-2016 04:55 PM
When I enter the command
Code:
# getsebool -a | grep mysql
I get the following output:
Code:
mysql_connect_any --> on
mysql_connect_http --> on
selinuxuser_mysql_connect_enabled --> on
There is no boolean called allow_user_mysql_connect.

I also ran "grep mysql /var/log/audit/audit.log" and below is the output:

Code:
type=AVC msg=audit(1473022912.997:498): avc:  denied  { write } for  pid=2268 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1473023053.062:508): avc:  denied  { write } for  pid=1173 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1473023254.766:515): avc:  denied  { write } for  pid=2268 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1473023458.579:532): avc:  denied  { write } for  pid=2273 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
I am not sure what this means, but if something in here can help fix the problem, it would be greatly appreciated.
Ken

P.S.
There is no directory for /var/log/messages.

kwatts59 09-08-2016 02:34 PM
Hello everybody. Thanks for all your input.
My mentor worked on the problem and fixed it.

The database was moved from /var/lib/mysql to another directory. A symbolic link was made from the /var/lib/mysql to mysql.sock in the new directory.
SELinux was preventing httpd from read access on the link /var/lib/mysql/mysql.sock file. The following two commands solved the problem:

ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -X 300 -i my-httpd.pp

I am still not quite sure what these two commands do, but it fixed the problem.
Thanks all. Case closed.
Ken

unSpawn 09-08-2016 04:48 PM
Thanks for posting feedback. Please mark thread "solved".


All times are GMT -5. The time now is 11:29 PM.