SELinux denies httpd access to /etc/my.cnf

Doncho N. Gunchev gunchev at gmail.com
Mon Oct 8 15:07:50 UTC 2007


On Friday 2007-10-05 02:22:18 Manuel Wolfshant wrote:
> On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
> > On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
> >   
> >> Daniel J Walsh wrote:
> >>     
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Anthony Messina wrote:
> >>>   
> >>>       
> >>>> I get the following in my logs, in permissive mode:
> >>>>
> >>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 
> >>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" 
> >>>> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 
> >>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file 
> >>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
> >>>>         
> > ...
> >   
> >>> Yes it should have the ability to read it.  The only reason there is a
> >>> type on this file is for database admins to be able to manage it.
> >>>
> >>> So  will update policy to allow http to read the file.
> >>>
> >>>   
> >>>       
> >>     Humm.. /me puzzled
> >>     Could someone please explain why would the web server (aka httpd) 
> >> need read access to the configuration of the MySQL server  ? I've seen 
> >> quite a few servers in place and never felt the need to crossmix those 
> >> two servers daemons with their config files. I've also thought that 
> >> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and  httpd + DB 
> >> implies httpd talking to mysqld .
> >>     
> >
> > Because that's the file mysql clients read their settings too :-(
> > ex:
> > [client]
> > user=mysql_owner
> > socket=/path/to/datadir/mysql/mysql.sock
> > ...
> > http://dev.mysql.com/doc/refman/5.0/en/option-files.html
> >
> >   
>     Right, but we were talking about the httpd daemon, not about mysql 
> clients (aka "Most MySQL programs can read startup options from option 
> files ", quoting from the page of which you have given the URL ). Or 
> maybe httpd is a mysql client, too, and it just happens that I have 
> never met such a setup ?  We are not talking about executing mysql 
> command line tools from web pages, are we ?
> 
No, I was not talking about apache executing mysql.

I though libmysqlclient.so.15 reads /etc/my.cnf (strings libmysqlclient.so.15),
but it seems it is configurable (from php.net comments). I tested with 
# inotifywait /etc/my.cnf
on FC7/FC8t3, but restarting apache or running php scripts that
access the DB shows no access. I'm almost sure I used this a year
ago to change the default encoding, but now it does not work this
way any more.

In short, sorry, httpd here does not access /etc/my.cnf.

Maybe some other module like mod_auth_mysql is responsible, but I
have not tested it. Anthony, what modules do you use and do you
have any script that executes mysql (the client) directly? What
distribution, php, apache and mysql versions...?

-- 
Regards,
  Doncho N. Gunchev, GPG key ID: 0EF40B9E, Key server: pgp.mit.edu




More information about the fedora-selinux-list mailing list