The prosody installed on Fedora server. I have the following error when I try to authenticate from the client in `/var/log/prosody/prosody.log`:
Error in SQL transaction: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)
storage_sql error Unable to read from database accounts store for myuser: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)
So far as I found if I disable selinux `setenforce 0` the error disappears.
Can someone please help which rule needs to be enabled/disabled to keep selinux enabled and in the same time allow prosody to connect to the db? Would be nice to mention it in the documentation.
I am using mariadb and the sql connection config is as follows:
`sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "MY_PASSWORD", host = "localhost" }`
Denis
on
The explanation by the `sealert -l {GUID}` is as follows:
```
SELinux is preventing prosody from search access on the directory /var/lib/mysql.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that prosody should be allowed search access on the mysql directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'prosody' --raw | audit2allow -M my-prosody
# semodule -X 300 -i my-prosody.pp
Additional Information:
Source Context system_u:system_r:prosody_t:s0
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects /var/lib/mysql [ dir ]
Source prosody
Source Path prosody
Port <Unknown>
Host fedora
Source RPM Packages
Target RPM Packages mariadb-server-10.5.13-1.fc35.x86_64
SELinux Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch
Local Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 5.15.13-200.fc35.x86_64 #1 SMP Wed
Jan 5 16:39:13 UTC 2022 x86_64 x86_64
Alert Count 103
First Seen 2022-01-09 17:55:43 GMT
Last Seen 2022-01-12 20:55:06 GMT
Local ID 07ff5d55-990d-472a-9c8e-f12eb4221ff0
Raw Audit Messages
type=AVC msg=audit(1642020906.335:446): avc: denied { search } for pid=1014 comm="prosody" name="mysql" dev="dm-0" ino=8677531 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir permissive=0
Hash: prosody,prosody_t,mysqld_db_t,dir,search
```
Zash
on
I'm sorry, none of us know are experts, or even familiar with SELinux. I would recommend seeking help elsewhere.
One possible workaround could be to set host="127.0.0.1" since MySQL treats "localhost" specially as meaning to use the UNIX socket in the file system.
Good luck
The prosody installed on Fedora server. I have the following error when I try to authenticate from the client in `/var/log/prosody/prosody.log`: Error in SQL transaction: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) storage_sql error Unable to read from database accounts store for myuser: Failed to connect to database: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) So far as I found if I disable selinux `setenforce 0` the error disappears. Can someone please help which rule needs to be enabled/disabled to keep selinux enabled and in the same time allow prosody to connect to the db? Would be nice to mention it in the documentation. I am using mariadb and the sql connection config is as follows: `sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "MY_PASSWORD", host = "localhost" }`
The explanation by the `sealert -l {GUID}` is as follows: ``` SELinux is preventing prosody from search access on the directory /var/lib/mysql. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that prosody should be allowed search access on the mysql directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'prosody' --raw | audit2allow -M my-prosody # semodule -X 300 -i my-prosody.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ dir ] Source prosody Source Path prosody Port <Unknown> Host fedora Source RPM Packages Target RPM Packages mariadb-server-10.5.13-1.fc35.x86_64 SELinux Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.8-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 5.15.13-200.fc35.x86_64 #1 SMP Wed Jan 5 16:39:13 UTC 2022 x86_64 x86_64 Alert Count 103 First Seen 2022-01-09 17:55:43 GMT Last Seen 2022-01-12 20:55:06 GMT Local ID 07ff5d55-990d-472a-9c8e-f12eb4221ff0 Raw Audit Messages type=AVC msg=audit(1642020906.335:446): avc: denied { search } for pid=1014 comm="prosody" name="mysql" dev="dm-0" ino=8677531 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir permissive=0 Hash: prosody,prosody_t,mysqld_db_t,dir,search ```
I'm sorry, none of us know are experts, or even familiar with SELinux. I would recommend seeking help elsewhere. One possible workaround could be to set host="127.0.0.1" since MySQL treats "localhost" specially as meaning to use the UNIX socket in the file system. Good luck
Changes