When updating MariaDB, the popular successor to MySQL, you may, once upon a time, hit a roadblock which you won’t be able to track down in the error log. Even though web visitors get to see the plain text complaint “Can’t connect to the database”, the MariaDB server will be running just fine. Silent errors should be reason enough to suspect SELinux, the oftentimes dreaded and despised but equally popular Security-Enhanced Linux kernel module.
This happens whenever the new release comes with additional requirements for permissions that were not covered in your prior SELinux configuration, as was recently the case with MariaDB 10.1.16.
Step 1. Switch SELinux to the permissive mode temporarily and let MariaDB do its thing
Switch SELinux to the permissive mode using:
setenforce 0
Restart MariaDB and make an attempt to use the web application which was previously throwing the unsightly error. If it works and your app connects to the server, you are well on your way to creating a permanent fix. While this is going on, SELinux is tracking the activity and logging permissions violations.
Step 2. Save SELinux policy violations
Save permissions violations pertaining to MariaDB using audit2allow by extracting relevant warnings from the log:
grep mysql /var/log/audit/audit.log | audit2allow -M mymariadb
Remember to grep for MariaDB’s famously compatibility-friendly “mysql” identifier.
Step 3. Verify if policy changes make sense
In order to verify, if proposed changes aren’t going to hurt server security, run this command:
cat mymariadb.te
You should see something like this:
module mymariadb 1.0; require { type httpd_t; type init_t; class unix_stream_socket connectto; } #============= httpd_t ============== allow httpd_t init_t:unix_stream_socket connectto;
If what you are seeing looks halfway reasonable, build the module.
Step 3. Build the module
In order to build the new module, run this command:
semodule -i mymariadb.pp
Step 4. Activate the SELinux enforcing mode
Activate enforcing:
setenforce 1
Verify that SELinux is indeed enforcing:
getenforce
Test your web application again. If everything looks the way it should, you have the right policy in place.
Step 5. Verify SELinux configuration
In order to ensure that SELinux won’t forget to enforce its policies after a reboot, have a look at its configuration file:
nano /etc/selinux/config
These settings should activate enforcing (or the permissive mode, at the least, but never deactivate SELinux! because in this case, you wouldn’t even have a track record of what went wrong and why).
Leave a Reply