#1708 Fedora: Failed to connect to database (closed)

#1708 Fedora: Failed to connect to database

Reporter	Denis
Owner	Nobody
Created	2022-01-09
Updated	2022-07-29
Stars	★ (1)
Tags	Component-Docs Priority-Medium Type-Defect Status-Invalid

Denis on 2022-01-09
The prosody installed on Fedora server. I have the following error when I try to authenticate from the client in `/var/log/prosody/prosody.log`: Error in SQL transaction: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) storage_sql error Unable to read from database accounts store for myuser: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) So far as I found if I disable selinux `setenforce 0` the error disappears. Can someone please help which rule needs to be enabled/disabled to keep selinux enabled and in the same time allow prosody to connect to the db? Would be nice to mention it in the documentation. I am using mariadb and the sql connection config is as follows: `sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "MY_PASSWORD", host = "localhost" }`
Denis on 2022-01-12
The explanation by the `sealert -l {GUID}` is as follows: ``` SELinux is preventing prosody from search access on the directory /var/lib/mysql. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that prosody should be allowed search access on the mysql directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'prosody' --raw | audit2allow -M my-prosody # semodule -X 300 -i my-prosody.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ dir ] Source prosody Source Path prosody Port <Unknown> Host fedora Source RPM Packages Target RPM Packages mariadb-server-10.5.13-1.fc35.x86_64 SELinux Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 5.15.13-200.fc35.x86_64 #1 SMP Wed Jan 5 16:39:13 UTC 2022 x86_64 x86_64 Alert Count 103 First Seen 2022-01-09 17:55:43 GMT Last Seen 2022-01-12 20:55:06 GMT Local ID 07ff5d55-990d-472a-9c8e-f12eb4221ff0 Raw Audit Messages type=AVC msg=audit(1642020906.335:446): avc: denied { search } for pid=1014 comm="prosody" name="mysql" dev="dm-0" ino=8677531 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir permissive=0 Hash: prosody,prosody_t,mysqld_db_t,dir,search ```
Zash on 2022-07-29
I'm sorry, none of us know are experts, or even familiar with SELinux. I would recommend seeking help elsewhere. One possible workaround could be to set host="127.0.0.1" since MySQL treats "localhost" specially as meaning to use the UNIX socket in the file system. Good luck
Changes
- tags Status-Invalid

Denis on 2022-01-09

The prosody installed on Fedora server. I have the following error when I try to authenticate from the client in `/var/log/prosody/prosody.log`: Error in SQL transaction: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) storage_sql error Unable to read from database accounts store for myuser: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) So far as I found if I disable selinux `setenforce 0` the error disappears. Can someone please help which rule needs to be enabled/disabled to keep selinux enabled and in the same time allow prosody to connect to the db? Would be nice to mention it in the documentation. I am using mariadb and the sql connection config is as follows: `sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "MY_PASSWORD", host = "localhost" }`

Denis on 2022-01-12

The explanation by the `sealert -l {GUID}` is as follows: ``` SELinux is preventing prosody from search access on the directory /var/lib/mysql. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that prosody should be allowed search access on the mysql directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'prosody' --raw | audit2allow -M my-prosody # semodule -X 300 -i my-prosody.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ dir ] Source prosody Source Path prosody Port <Unknown> Host fedora Source RPM Packages Target RPM Packages mariadb-server-10.5.13-1.fc35.x86_64 SELinux Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 5.15.13-200.fc35.x86_64 #1 SMP Wed Jan 5 16:39:13 UTC 2022 x86_64 x86_64 Alert Count 103 First Seen 2022-01-09 17:55:43 GMT Last Seen 2022-01-12 20:55:06 GMT Local ID 07ff5d55-990d-472a-9c8e-f12eb4221ff0 Raw Audit Messages type=AVC msg=audit(1642020906.335:446): avc: denied { search } for pid=1014 comm="prosody" name="mysql" dev="dm-0" ino=8677531 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir permissive=0 Hash: prosody,prosody_t,mysqld_db_t,dir,search ```

Zash on 2022-07-29

I'm sorry, none of us know are experts, or even familiar with SELinux. I would recommend seeking help elsewhere. One possible workaround could be to set host="127.0.0.1" since MySQL treats "localhost" specially as meaning to use the UNIX socket in the file system. Good luck

Changes

tags Status-Invalid

#1708 Fedora: Failed to connect to database

New comment