SELinux denies httpd access to /etc/my.cnf

Thu Oct 4 23:22:18 UTC 2007

On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
> On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
>   
>> Daniel J Walsh wrote:
>>     
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Anthony Messina wrote:
>>>   
>>>       
>>>> I get the following in my logs, in permissive mode:
>>>>
>>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 
>>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" 
>>>> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 
>>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file 
>>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
>>>>         
> ...
>   
>>> Yes it should have the ability to read it.  The only reason there is a
>>> type on this file is for database admins to be able to manage it.
>>>
>>> So  will update policy to allow http to read the file.
>>>
>>>   
>>>       
>>     Humm.. /me puzzled
>>     Could someone please explain why would the web server (aka httpd) 
>> need read access to the configuration of the MySQL server  ? I've seen 
>> quite a few servers in place and never felt the need to crossmix those 
>> two servers daemons with their config files. I've also thought that 
>> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and  httpd + DB 
>> implies httpd talking to mysqld .
>>     
>
> Because that's the file mysql clients read their settings too :-(
> ex:
> [client]
> user=mysql_owner
> socket=/path/to/datadir/mysql/mysql.sock
> ...
> http://dev.mysql.com/doc/refman/5.0/en/option-files.html
>
>   
    Right, but we were talking about the httpd daemon, not about mysql 
clients (aka "Most MySQL programs can read startup options from option 
files ", quoting from the page of which you have given the URL ). Or 
maybe httpd is a mysql client, too, and it just happens that I have 
never met such a setup ?  We are not talking about executing mysql 
command line tools from web pages, are we ?

            Manuel