SELinux denies httpd access to /etc/my.cnf

Anthony Messina amessina at messinet.com
Mon Oct 8 16:56:27 UTC 2007 

On Monday 08 October 2007 10:07:50 am Doncho N. Gunchev wrote:
> On Friday 2007-10-05 02:22:18 Manuel Wolfshant wrote:
> > On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
> > > On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
> > >> Daniel J Walsh wrote:
> > >>> -----BEGIN PGP SIGNED MESSAGE-----
> > >>> Hash: SHA1
> > >>>
> > >>> Anthony Messina wrote:
> > >>>> I get the following in my logs, in permissive mode:
> > >>>>
> > >>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48
> > >>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0
> > >>>> name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48
> > >>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file
> > >>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
> > >
> > > ...
> > >
> > >>> Yes it should have the ability to read it.  The only reason there is
> > >>> a type on this file is for database admins to be able to manage it.
> > >>>
> > >>> So  will update policy to allow http to read the file.
> > >>
> > >>     Humm.. /me puzzled
> > >>     Could someone please explain why would the web server (aka httpd)
> > >> need read access to the configuration of the MySQL server  ? I've seen
> > >> quite a few servers in place and never felt the need to crossmix those
> > >> two servers daemons with their config files. I've also thought that
> > >> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and  httpd + DB
> > >> implies httpd talking to mysqld .
> > >
> > > Because that's the file mysql clients read their settings too :-(
> > > ex:
> > > [client]
> > > user=mysql_owner
> > > socket=/path/to/datadir/mysql/mysql.sock
> > > ...
> > > http://dev.mysql.com/doc/refman/5.0/en/option-files.html
> >
> >     Right, but we were talking about the httpd daemon, not about mysql
> > clients (aka "Most MySQL programs can read startup options from option
> > files ", quoting from the page of which you have given the URL ). Or
> > maybe httpd is a mysql client, too, and it just happens that I have
> > never met such a setup ?  We are not talking about executing mysql
> > command line tools from web pages, are we ?
>
> No, I was not talking about apache executing mysql.
>
> I though libmysqlclient.so.15 reads /etc/my.cnf (strings
> libmysqlclient.so.15), but it seems it is configurable (from php.net
> comments). I tested with # inotifywait /etc/my.cnf
> on FC7/FC8t3, but restarting apache or running php scripts that
> access the DB shows no access. I'm almost sure I used this a year
> ago to change the default encoding, but now it does not work this
> way any more.
>
> In short, sorry, httpd here does not access /etc/my.cnf.
>
> Maybe some other module like mod_auth_mysql is responsible, but I
> have not tested it. Anthony, what modules do you use and do you
> have any script that executes mysql (the client) directly? What
> distribution, php, apache and mysql versions...?

fedora 7
httpd-2.2.6-1.fc7
php-5.2.4-1.fc7
mysql-server-5.0.45-1.fc7

Loaded Modules: 
mod_python.c, mod_ssl.c, mod_php5.c, mod_perl.c, mod_cgi.c, mod_suexec.c, 
mod_rewrite.c, mod_alias.c, mod_userdir.c, mod_speling.c, mod_actions.c, 
mod_dir.c, mod_negotiation.c, mod_vhost_alias.c, mod_dav_fs.c, mod_info.c, 
mod_autoindex.c, mod_status.c, mod_dav.c, mod_mime.c, mod_setenvif.c, 
mod_usertrack.c, mod_headers.c, mod_deflate.c, mod_expires.c, 
mod_mime_magic.c, mod_ext_filter.c, mod_env.c, mod_logio.c, mod_log_config.c, 
mod_include.c, mod_authnz_ldap.c, util_ldap.c, mod_authz_default.c, 
mod_authz_dbm.c, mod_authz_groupfile.c, mod_authz_owner.c, mod_authz_user.c, 
mod_authz_host.c, mod_authn_default.c, mod_authn_dbm.c, mod_authn_anon.c, 
mod_authn_alias.c, mod_authn_file.c, mod_auth_digest.c, mod_auth_basic.c, 
mod_so.c, http_core.c, prefork.c, core.c

Server Settings
Server Version: Apache/2.2.6 (Unix) DAV/2 PHP/5.2.4 mod_ssl/2.2.6 
OpenSSL/0.9.8b mod_python/3.3.1 Python/2.5 mod_perl/2.0.3 Perl/v5.8.8

-- 
Anthony -  http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20071008/f6245088/attachment.sig>

More information about the fedora-selinux-list mailing list