SELinux: Letting Apache talk to MySQL on CentOS

UPDATE 2

type=AVC msg=audit(1318863312.959:435): avc: denied { connectto } for pid=12472 comm="httpd" path="/opt/chroot/mysql/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

You can build the custom SELinux policy module by following steps:

# grep httpd_t audit.log | audit2allow -m httpd > httpd.te
# checkmodule -M -m -o httpd.mod httpd.te
# semodule_package -m httpd.mod -o httpd.pp 
# semodule -i httpd.pp

Refer to this topic for more details.


UPDATE

  1. Run semanage command to add a context mapping for /opt/chroot/mysql/var/lib/mysql/:

    # semanage fcontext -a -t mysqld_db_t "/opt/chroot/mysql/var/lib/mysql(/.*)?"
    
  2. And use restorecon command to apply this context mapping:

    # restorecon -Rv /opt/chroot/mysql/var/lib/mysql
    

If you are connecting via TCP/IP, try this:

# setsebool -P httpd_can_network_connect 1