SELinux denies httpd access to /etc/my.cnf
Manuel Wolfshant
wolfy at nobugconsulting.ro
Wed Oct 3 13:59:15 UTC 2007
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Anthony Messina wrote:
>
>> I get the following in my logs, in permissive mode:
>>
>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48
>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf"
>> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48
>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file
>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
>>
>> avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48
>> exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf"
>> path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48
>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file
>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
>>
>> Should httpd be accessing this file? If so, how would I set up that
>> configuration? It seems that if this type of access is necessary, a boolean
>> would be in place.
>>
>>
>>
>
> Yes it should have the ability to read it. The only reason there is a
> type on this file is for database admins to be able to manage it.
>
> So will update policy to allow http to read the file.
>
>
Humm.. /me puzzled
Could someone please explain why would the web server (aka httpd)
need read access to the configuration of the MySQL server ? I've seen
quite a few servers in place and never felt the need to crossmix those
two servers daemons with their config files. I've also thought that
httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB
implies httpd talking to mysqld .
More information about the fedora-selinux-list
mailing list