LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-02-2016, 07:12 PM   #1
kwatts59
Member
 
Registered: Aug 2012
Posts: 34

Rep: Reputation: Disabled
ERROR: mysqli_connect(): (HY000/2002): Permission denied


Hi everyone,

I am trying to connect to an MySQL database from PHP and I get the following error in the /var/log/httpd/error_log.

Code:
[Fri Sep 02 11:47:10.961123 2016] [:error] [pid 22023] [client 10.81.227.214:55722] PHP Warning:  mysqli_connect(): (HY000/2002): Permission denied in /var/www/html/shenlab/software/TSD/Connections/connGS.php on line 9, referer: http://shenlab.sols.unlv.edu/shenlab/software/TSD/transcript_display.html
The connGS.php code is as follows (Note: I am not posting the actual password for security reasons):

Code:
<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostnameGS = "localhost";
$databaseGS = "gene_structure";
$usernameGS = "kwatanabe";
$passwordGS = "password";
$connGS = mysqli_connect($hostnameGS, $usernameGS, $passwordGS,$databaseGS) or trigger_error(mysql_error(),E_USER_ERROR); 
?>
When I turn SELINUX off (i.e. setenforce 0), the error goes away and the program runs perfectly. Unfortunately this is NOT an option.

I have tried setting the sebooleans as follows:

setsebool httpd_can_network_connect on
setsebool httpd_can_network_connect_db on
setsebool mysql_connect_any on
setsebool mysql_connect_httpd on

and I still get the error.

I also tried

restorecon -R /var/www/html/shenlab

and I still get the error.


I have been googling for a solution for hours and all I could find was this
http://stackoverflow.com/questions/5...mission-denied

And the solution that was provided was
"you have to set up SELINUX correctly".

Well how the F... do you set up SELINUX correctly????

Any help would be greatly appreciated.
Ken

Last edited by kwatts59; 09-04-2016 at 02:07 AM.
 
Old 09-03-2016, 03:05 AM   #2
HMW
Member
 
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Xubuntu, Manjaro
Posts: 745
Blog Entries: 3

Rep: Reputation: 347Reputation: 347Reputation: 347Reputation: 347
Hi!

First of all, let it be known that I am far from an expert on SELinux, so I might be talking from my behind.

But, this looks very odd for a boolean:
Quote:
Originally Posted by kwatts59 View Post
setsebool can_network_connect on
I have yet to encounter a bool with that switch (e.g. 'on' 'off'), a quick search for selinux setsebool syntax shows that the common usages are either:
true, false
or
1,0

Again, maybe this is 'on, off' thing is unique for SELinux, it just looks odd to me.

Best regards,
HMW
 
Old 09-04-2016, 02:16 AM   #3
kwatts59
Member
 
Registered: Aug 2012
Posts: 34

Original Poster
Rep: Reputation: Disabled
Oops, I made a mistake in my original post.
The SE Booleans are:
httpd_can_network_connect
httpd_can_network_connect_db
Sorry for the mistake. I corrected the original post.

I used the following command to determine the state of the boolean
Code:
getsebool -a | grep httpd_can_network
I also tested the setsebool with the on/off, true/false and 1/0 switches and all appear to work.
Ken
 
Old 09-04-2016, 02:24 AM   #4
HMW
Member
 
Registered: Aug 2013
Location: Sweden
Distribution: Debian, Arch, Xubuntu, Manjaro
Posts: 745
Blog Entries: 3

Rep: Reputation: 347Reputation: 347Reputation: 347Reputation: 347
Quote:
Originally Posted by kwatts59 View Post
I also tested the setsebool with the on/off, true/false and 1/0 switches and all appear to work.
Ken
Ok, good to know. I learnt something new. Unfortunately I cannot help you with this. Hopefully someone else can!

Best regards,
HMW
 
Old 09-04-2016, 09:18 AM   #5
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 5,387

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
Code:
# If you want to allow users to connect to mysql, you must turn on the allow_user_mysql_connect boolean. 
setsebool -P allow_user_mysql_connect 1
http://linux.die.net/man/8/mysqld_selinux
 
Old 09-04-2016, 09:33 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
*Additionally note running 'grep mysql /var/log/audit.log /var/log/messages|audit2allow;' will explain and should also point to booleans like "allow_user_mysql_connect".
 
Old 09-04-2016, 05:55 PM   #7
kwatts59
Member
 
Registered: Aug 2012
Posts: 34

Original Poster
Rep: Reputation: Disabled
When I enter the command
Code:
# getsebool -a | grep mysql
I get the following output:
Code:
mysql_connect_any --> on
mysql_connect_http --> on
selinuxuser_mysql_connect_enabled --> on
There is no boolean called allow_user_mysql_connect.

I also ran "grep mysql /var/log/audit/audit.log" and below is the output:

Code:
type=AVC msg=audit(1473022912.997:498): avc:  denied  { write } for  pid=2268 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1473023053.062:508): avc:  denied  { write } for  pid=1173 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1473023254.766:515): avc:  denied  { write } for  pid=2268 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1473023458.579:532): avc:  denied  { write } for  pid=2273 comm="httpd" name="mysql.sock" dev="sdc3" ino=42205192 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=0
I am not sure what this means, but if something in here can help fix the problem, it would be greatly appreciated.
Ken

P.S.
There is no directory for /var/log/messages.
 
Old 09-08-2016, 03:34 PM   #8
kwatts59
Member
 
Registered: Aug 2012
Posts: 34

Original Poster
Rep: Reputation: Disabled
Hello everybody. Thanks for all your input.
My mentor worked on the problem and fixed it.

The database was moved from /var/lib/mysql to another directory. A symbolic link was made from the /var/lib/mysql to mysql.sock in the new directory.
SELinux was preventing httpd from read access on the link /var/lib/mysql/mysql.sock file. The following two commands solved the problem:

ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -X 300 -i my-httpd.pp

I am still not quite sure what these two commands do, but it fixed the problem.
Thanks all. Case closed.
Ken

Last edited by kwatts59; 09-08-2016 at 03:39 PM.
 
Old 09-08-2016, 05:48 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Thanks for posting feedback. Please mark thread "solved".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR 2002 (HY000): Can't connect to local MySQL server through socket tiroloz Linux - Software 4 05-05-2012 10:15 AM
Mysql will not start ERROR 2002 (HY000): drstupid Linux - Software 1 01-12-2010 06:03 AM
MySQL : ERROR 2002 (HY000) Sunday03 Programming 5 05-07-2009 12:59 AM
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/my.. Goce Linux - Server 3 11-30-2008 10:57 PM
MySQL ERROR 2002 (HY000) rwhite7890 Linux - Server 2 11-10-2007 01:48 PM


All times are GMT -5. The time now is 10:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration