[英]Permission denied when trying to connect to Mysql installing mediawiki
i have a problem from all afternoon and i'm quite stuck with it so, let's explain it. 我整个下午都有一个问题,我对此非常棘手,所以让我们解释一下。
I'm running MariaDB which is a flavuor of mysql for Fedora Linux Distibution. 我正在运行MariaDB,它是Fedora Linux Distibution的mysql版本。 I'm trying to install in my local machine a php cms which needs database backend, so i've created the database (it's not the first time so i'm supposed to know what i'm doing), let's say it's called myDb ok?
我正在尝试在本地计算机上安装需要数据库后端的php cms,所以我创建了数据库(这不是第一次,所以我应该知道我在做什么),假设它称为myDb好? Then i've created the user, let's say myDbUser@localhost ok?
然后,我创建了用户,假设myDbUser @ localhost好吗? Then've granted the privileges on the db to the user (GRANT ALL for being specific).
然后,已将db的特权授予用户(GRANT ALL是特定的)。 Then i've tested the user and the granted privileges from the command line of the db, everything works fine, i can login and i can see the db.
然后,我从数据库的命令行测试了用户和授予的特权,一切正常,我可以登录并且可以看到数据库。
Then i run the installing script of the cms ok? 然后我运行cms的安装脚本好吗?
Database type: MySQL (or compatible)
Database host: localhost
Database name: myDb
Database username: myDbUser
Database password: passowrd
The same data that work from the command line. 从命令行工作的相同数据。 But the result is:
但是结果是:
DB connection error: Permission denied (localhost).
Check the host, username and password and try again.
Given that the username and the password work fine from the command line i assume that it's a problem of the "host".. 鉴于用户名和密码可以从命令行正常运行,因此我认为这是“主机”的问题。
So i spent the whole evening trying to understand what is wrong with it and the only thing i came out with (i know it's not much) is the output of this command: 因此,我整个晚上都在努力了解它的问题所在,而我唯一想到的是(此命令的输出不多)此命令的输出:
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2393 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
I tried everyone of those IP without any success. 我尝试了所有这些IP,但都没有成功。 I got always the same error so any idea, hint, clue, even a fragment of though?
我总是遇到同样的错误,所以有什么主意,提示,线索,甚至是片段吗? Thanks.
谢谢。
EDIT: So further researches have shown that the problem is NOT a database problem, it is instead a CMS problem. 编辑:因此,进一步的研究表明该问题不是数据库问题,而是CMS问题。 That is because i can connect to the db from the command line with the given user and password.
那是因为我可以使用给定的用户名和密码从命令行连接到数据库。
EDIT2: Other researches states that the problem could be a permission problem. 编辑2:其他研究表明,该问题可能是权限问题。 I'm logging into the db from the root user of my machine but the webserver is accessing it from an other user.
我从我的机器的根用户登录db,但是Web服务器正在从其他用户访问它。 I still don't have idea of how to solve this.
我仍然不知道如何解决这个问题。
EDIT3: Here is the log file of the apache server: EDIT3:这是apache服务器的日志文件:
/var/www/html/Wiki/includes/limit.sh: line 61: ulimit: cpu time: cannot modify limit: Permission denied
/var/www/html/Wiki/includes/limit.sh: line 90: ulimit: file size: cannot modify limit: Permission denied
anyone faced a similar problem before and can help? 任何人以前都遇到过类似的问题,可以提供帮助吗? I have those two links: 1 2 but they doesn't seem to help me more cause i don't get why this script cannot run those commands.
我有这两个链接: 1 2,但是它们似乎并没有帮助我更多,因为我不明白为什么该脚本无法运行那些命令。
如果您不熟悉MySQL权限的工作原理,只需为MediaWiki安装程序提供root密码,它就会为自己创建具有正确权限的用户。
You can try giving permissions like 'youUser'@'%', using '%' instead of localhost. 您可以尝试使用'%'而不是localhost来授予诸如'youUser'@'%'之类的权限。 This should work.
这应该工作。
Well, it came out it wasn't a problem of MySql or PHP at all. 好吧,结果证明这根本不是MySql或PHP的问题。 Instead it was a problem of security, the server didn't have the permission to access the mysql channel.
相反,这是一个安全问题,服务器没有访问mysql通道的权限。 I had to fix it using those commands:
我不得不使用以下命令修复它:
# grep httpd /var/log/audit/audit.log | audit2allow
# semodule -i mypol.pp
I really had an hard time finding out this solution, i had to go looking for system messages with journalctl (a command i didn't know before). 我真的很难找到这种解决方案,我不得不去用journalctl查找系统消息(一个我以前不知道的命令)。 So it was a big pita* but i found it out, eventually.
所以这是一个很大的皮塔饼*,但我最终发现了它。
So if anyone will have a similar problem at least the answer is there. 因此,如果有人会遇到类似的问题,至少答案就在那里。
Actually, what you needed was 实际上,您需要的是
setsebool -P httpd_can_network_connect_db 1
I always, every! 我总是,每一个! single!
单! time!, bump into one or more of selinux issues when I set up a new host.
时间!,在设置新主机时遇到一个或多个selinux问题。 And every single time I end up googling the problem for, usually, hours, before I end up running sealert -a and deal with it myself.
而且,每一次,我结束了通常在几个小时内进行的问题搜索,然后最终运行了Sealert -a并亲自处理。
So, you must understand a bit how to read the 因此,您必须了解一些如何阅读
sealert -a /var/log/audit/audit.log
which showed you the grep solution applied. 向您展示了grep解决方案的应用。 You need to read a bit further up.
您需要进一步阅读。 Your output would have looked like below (notice the problem, first pasted line, and the suggested solutions with their confidence, you're chosen one falls rather short):
您的输出将如下所示(注意问题,第一行粘贴以及充满信心的建议解决方案,因此您选择了一个相当短的):
SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket .
***** Plugin catchall_boolean (47.5 confidence) suggests *******************
If you want to allow HTTPD scripts and modules to connect to the network using TCP.
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect'boolean.
Do
setsebool -P httpd_can_network_connect 1
***** Plugin catchall_boolean (47.5 confidence) suggests *******************
If you want to allow HTTPD scripts and modules to connect to databases over the network.
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect_db'boolean.
Do
setsebool -P httpd_can_network_connect_db 1
***** Plugin catchall (6.38 confidence) suggests ***************************
If you believe that httpd should be allowed name_connect access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context system_u:object_r:mysqld_port_t:s0
Target Objects [ tcp_socket ]
Source httpd
Source Path /usr/sbin/httpd
Port 3306
Host <Unknown>
Source RPM Packages httpd-2.2.15-54.el6.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.7.19-292.el6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name publicsrv
Platform Linux publicsrv 2.6.32-642.el6.x86_64 #1 SMP Tue
May 10 17:27:01 UTC 2016 x86_64 x86_64
Alert Count 26
First Seen Sat 01 Oct 2016 09:14:01 PM EEST
Last Seen Sat 01 Oct 2016 11:23:12 PM EEST
Local ID 064b82b4-2e50-42ea-9a07-11468d0a62a6
Raw Audit Messages
type=AVC msg=audit(1475353392.72:578): avc: denied { name_connect } for pid=5858 comm="httpd" dest=3306 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1475353392.72:578): arch=x86_64 syscall=connect success=no exit=EACCES a0=e a1=7f0cd22a6008 a2=10 a3=40 items=0 ppid=5852 pid=5858 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,mysqld_port_t,tcp_socket,name_connect
audit2allow
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_can_network_connect_db
allow httpd_t mysqld_port_t:tcp_socket name_connect;
audit2allow -R
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_can_network_connect_db
allow httpd_t mysqld_port_t:tcp_socket name_connect;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.