SELinux denies httpd access to /etc/my.cnf
Manuel Wolfshant
wolfy at nobugconsulting.ro
Thu Oct 4 23:22:18 UTC 2007
On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
> On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
>
>> Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Anthony Messina wrote:
>>>
>>>
>>>> I get the following in my logs, in permissive mode:
>>>>
>>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48
>>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf"
>>>> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48
>>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file
>>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
>>>>
> ...
>
>>> Yes it should have the ability to read it. The only reason there is a
>>> type on this file is for database admins to be able to manage it.
>>>
>>> So will update policy to allow http to read the file.
>>>
>>>
>>>
>> Humm.. /me puzzled
>> Could someone please explain why would the web server (aka httpd)
>> need read access to the configuration of the MySQL server ? I've seen
>> quite a few servers in place and never felt the need to crossmix those
>> two servers daemons with their config files. I've also thought that
>> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB
>> implies httpd talking to mysqld .
>>
>
> Because that's the file mysql clients read their settings too :-(
> ex:
> [client]
> user=mysql_owner
> socket=/path/to/datadir/mysql/mysql.sock
> ...
> http://dev.mysql.com/doc/refman/5.0/en/option-files.html
>
>
Right, but we were talking about the httpd daemon, not about mysql
clients (aka "Most MySQL programs can read startup options from option
files ", quoting from the page of which you have given the URL ). Or
maybe httpd is a mysql client, too, and it just happens that I have
never met such a setup ? We are not talking about executing mysql
command line tools from web pages, are we ?
Manuel
More information about the fedora-selinux-list
mailing list