centos8 stream-Problem with Apache2 or php

[hapugov]

Hi all, I ran into a problem when installing Mediawiki that it cannot connect to the database with the error "invalid database type". I wrote to the MediaWiki forum, but there is no way to figure out what the problem is, because the problem is not in MediaWiki, but somewhere in the server settings. As if it does not pass something when clicking from the web to the settings. Below is a link to the discussion. The first time I asked a question there, now I came here. I am new to linux, please understand. I have a dedicated host with linux, if possible I will provide all available information upon request.


Link to MediaWiki forum discussion
https://www.mediawiki.org/w/index.php?t ... 3oif0hbyog

Link to the page I get when I open <?php phpinfo(); ?>
https://drive.google.com/file/d/1dlMLwr ... sp=sharing

[TrevorH]

What is the output from aureport -a run as root? If there is an entry timestamped at the same time that you last tried the mediawiki isntall then take the number from the right hand end and plug that into ausearch -a nnnn (where nnnn is the number).

[hapugov]

What is the output from aureport -a run as root? If there is an entry timestamped at the same time that you last tried the mediawiki isntall then take the number from the right hand end and plug that into ausearch -a nnnn (where nnnn is the number).

I just tried to connect MediaWiki to the db and there is nothing in the logs, there is one line from Sept. 14

Code: Select all

[root@msrv ~]# aureport -a

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 09/14/2023 23:37:17 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 262433
[root@msrv ~]# aureport -a

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 09/14/2023 23:37:17 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 262433
[root@msrv ~]# ausearch -a 262433
----
time->Thu Sep 14 23:37:17 2023
type=USER_AVC msg=audit(1694723837.451:262433): pid=1058 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=5)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

[TrevorH]

Well, the usual cause of problems with a web server being unable to talk to a database is due to an selinux setting that defaults to disallowing it. You can check the setting using getsebool -a | grep httpd_can_network_connect_db. If it's set to off then it is not allowed to talk to a database server. I would expect that if it was this then it would have an audit log entry and it appears you do not. However you can toggle the selinux boolean using setsebool -P httpd_can_network_connect_db 1 (the -P persists the change over a reboot) but since there is no audit log entry for the denial I do not think this is your problem... but it may be once you fix the problem you have now.

[hapugov]

I did as you wrote, now in the logs there are httpd events with status denied

Code: Select all

[root@msrv ~]# getsebool -a | grep httpd_can_network_connect_db
httpd_can_network_connect_db --> off
[root@msrv ~]# setsebool -P httpd_can_network_connect_db 1
[root@msrv ~]# getsebool -a | grep httpd_can_network_connect_db
httpd_can_network_connect_db --> on
[root@msrv ~]# aureport -a

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 09/14/2023 23:37:17 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 262433
2. 09/17/2023 19:02:32 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 287141
3. 09/17/2023 19:02:33 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 287143
4. 09/17/2023 19:03:13 bash system_u:system_r:httpd_t:s0 302 process setrlimit system_u:system_r:httpd_t:s0 denied 287150
5. 09/17/2023 19:03:13 bash system_u:system_r:httpd_t:s0 302 process setrlimit system_u:system_r:httpd_t:s0 denied 287151
6. 09/17/2023 19:03:13 bash system_u:system_r:httpd_t:s0 302 process setrlimit system_u:system_r:httpd_t:s0 denied 287152
7. 09/17/2023 19:03:13 bash system_u:system_r:httpd_t:s0 302 process setrlimit system_u:system_r:httpd_t:s0 denied 287153
8. 09/17/2023 19:03:13 bash system_u:system_r:httpd_t:s0 302 process setrlimit system_u:system_r:httpd_t:s0 denied 287154
9. 09/17/2023 19:03:13 bash system_u:system_r:httpd_t:s0 302 process setrlimit system_u:system_r:httpd_t:s0 denied 287155
10. 09/17/2023 19:03:13 php-fpm system_u:system_r:httpd_t:s0 257 dir write unconfined_u:object_r:httpd_sys_content_t:s0 d          enied 287156
[root@msrv ~]# ausearch -a 287155
----
time->Sun Sep 17 19:03:13 2023
type=PROCTITLE msg=audit(1694966593.055:287155): proctitle=2F62696E2F62617368002F7661722F7777772F77696B692E657866696C2E72752F76656EF722F77696B696D656469612F7368656C6C626F782F7372632F436F6D6D616E642F6C696D69742E736800272F7573722F62696E2F6769742720272D2D7665727369E270053425F494E434C5544455F5354444552523D313B53
type=SYSCALL msg=audit(1694966593.055:287155): arch=c000003e syscall=302 success=no exit=-13 a0=0 a1=1 a2=7ffddf9dc0a0 a3=0 items=0id=986752 pid=986753 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 commash" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1694966593.055:287155): avc:  denied  { setrlimit } for  pid=986753 comm="bash" scontext=system_u:system_r:httpds0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

[jlehtone]

Selinux does not log everything by default. See man semanage-dontaudit


'audit2why' translates messages into description:

Code: Select all

ausearch -a 262433 | audit2why