From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050516 Firefox/1.0.4 Description of problem: The SELinux policies set by default with php-mysql-5.0.4-10.3 and httpd-2.0.54-10 prevent the mysql_connect() function from connecting to MySQL servers external to the local machine. They may also prevent connecting to local MySQL servers, but I did not test that personally. For a related issue see: http://forums.fedoraforum.org/forum/showthread.php?t=65245 Having some more info on how to fix this would be great, or just enable it by default would be best (at least for me :) Version-Release number of selected component (if applicable): php-mysql-5.0.4-10.3 How reproducible: Always Steps to Reproduce: 1. yum install php-mysql 2. Create a php script that calls a remote mysql server with mysql_connect() 3. Run the script, php will not be able to connect to MySQL Actual Results: /var/log/audit/audit.log type=AVC msg=audit(1122944817.122:710173): avc: denied { name_connect } for pid=3146 comm="httpd" dest=3306 scontext=root:system_r:httpd_t tcontext=system_u:object_r:mysqld_port_t tclass=tcp_socket type=SYSCALL msg=audit(1122944817.122:710173): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf7ffb60 a2=35c43b0 a3=2 items=0 pid=3146 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=SOCKADDR msg=audit(1122944817.122:710173): saddr=02000CEA4519E8770000000000000000 type=SOCKETCALL msg=audit(1122944817.122:710173): nargs=3 a0=d a1=bf800d44 a2=10 Expected Results: This should have worked correctly. Additional info: To make it work I added the SELinux policy in /etc/selinux/targeted/src/policy/domains/misc/local.te like so: allow httpd_t mysqld_port_t:tcp_socket { name_connect };
This is due to the SELinux policy, which prevents httpd processes from making outgoing network connections by default. The httpd_can_network_connect boolean can be used to change this behaviour; to allow connections: setsebool httpd_can_network_connect=1 passing the -P argument to set the boolean permanently (across reboots). For further information on SELinux/Apache integration in Fedora Core, please see: http://fedora.redhat.com/docs/selinux-apache-fc3/ For general information on SELinux in Fedora Core, please see: http://fedora.redhat.com/docs/selinux-faq-fc3/