Database connections initiated using PHP fail when SELinux is enabled on a Plesk for Linux server

Symptoms

• Database connections made through PHP fail:

  • Websites do not load with similar messages:

    PLESK_INFO: Error establishing a database connection

    ---

    PLESK_INFO: An unexpected database error occurred. Please try again later.

  • Roundcube webmail does not load with:

    PLESK_INFO: Oops... something went wrong!
    An internal error has occurred. Your request cannot be processed at this time.
    For administrators: Please check the application and/or server error logs for more information.

    and the following error message is logged in Roundcube error log /var/log/plesk-roundcube/errors:

    CONFIG_TEXT: DB Error: SQLSTATE[HY000] [2002] Permission denied in /usr/share/psa-roundcube/program/lib/Roundcube/rcube_db.php on line 201 (GET /)

• SELinux is in enforcing mode:

  # sestatus | grep 'Current mode'
  Current mode: enforcing

• The execution of the journalctl -usetroubleshootd command provides output that is similar to the following:

  CONFIG_TEXT: Nov 06 09:29:41 example.com setroubleshoot[953]: SELinux is preventing /opt/plesk/php/8.2/sbin/php-fpm from connectto access on the unix_stream_socket /var/lib/mysql/mysql.sock. For complete SELinux messages run: sealert -l 84bf8c75-0a8e-46c3-87ba-027b26e27823
  Nov 06 09:29:41 example.com setroubleshoot[953]: SELinux is preventing /opt/plesk/php/8.2/sbin/php-fpm from connectto access on the unix_stream_socket /var/lib/mysql/mysql.sock. 
  
  ***** Plugin catchall (100. confidence) suggests **************************
  If you believe that php-fpm should be allowed connectto access on the mysql.sock unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: 
  # ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm 
  # semodule -X 300 -i my-phpfpm.pp

• Messages about php-fpm and mysql.sock are logged in /var/log/audit/audit.log:

  CONFIG_TEXT: type=AVC msg=audit(1739696552.295:5057): avc: denied { connectto } for pid=74152 comm="php-fpm" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0 type=SYSCALL msg=audit(1739696552.295:5057): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff7a1224a0 a2=1b a3=1 items=0 ppid=74143 pid=74152 auid=4294967295 uid=10020 gid=1003 euid=10020 suid=10020 fsuid=10020 egid=1003 sgid=1003 fsgid=1003 tty=(none) ses=4294967295 comm="php-fpm" exe="/opt/plesk/php/8.2/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="**REDACTED**" GID="**REDACTED**" EUID="**REDACTED**" SUID="**REDACTED**" FSUID="**REDACTED**" EGID="**REDACTED**" SGID="**REDACTED**" FSGID="**REDACTED**"
  type=PROCTITLE msg=audit(1739696552.295:5057): proctitle=**REDACTED**

Cause

SELinux is blocking the database connection requests made through PHP-FPM, because database server files have wrong SELinux labels.

Packages provided by MariaDB are not fully compatible with system SELinux policy. This is a MariaDB bug that is described on the following link:

https://jira.mariadb.org/browse/MDEV-24941

Resolution

1. Connect to your Plesk server via SSH

2. Restore SELinux context for MariaDB and MySQL files:

   # restorecon -v /usr/sbin/mariadbd

   # restorecon -v /usr/sbin/mysqld

   # restorecon -Rv /var/lib/mysql

3. Restart the MariaDB service:

   # systemctl restart mariadb