Apache and MySQL on different hosts with SELinux

Recently I upgraded my single “LAMP” setup with two Apache front-ends, and two MySQL mirrored backends. When moving WordPress to the new web servers I came across an issue with MySQL connections. The /var/log/audit/audit.log shows:

type=AVC msg=audit(1401916568.434:533): avc: denied { name_connect } for pid=31254 comm=”httpd” dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1401916568.434:533): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fffdda48c20 a2=10 a3=10 items=0 ppid=1685 pid=31254 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=”httpd” exe=”/usr/sbin/httpd” subj=system_u:system_r:httpd_t:s0 key=(null)

The issue is related to SELinux blocking the MySQL connections from within Apache, and instead of taking the easy way out and disabling SELinux completely, the only command needed to get it to work was:

setsebool -P httpd_can_network_connect_db 1

Leave a Reply