I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
Should httpd be accessing this file? If so, how would I set up that configuration? It seems that if this type of access is necessary, a boolean would be in place.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
Should httpd be accessing this file? If so, how would I set up that configuration? It seems that if this type of access is necessary, a boolean would be in place.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
Should httpd be accessing this file? If so, how would I set up that configuration? It seems that if this type of access is necessary, a boolean would be in place.
Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Humm.. /me puzzled Could someone please explain why would the web server (aka httpd) need read access to the configuration of the MySQL server ? I've seen quite a few servers in place and never felt the need to crossmix those two servers daemons with their config files. I've also thought that httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB implies httpd talking to mysqld .
On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
...
Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Humm.. /me puzzled Could someone please explain why would the web server (aka httpd)need read access to the configuration of the MySQL server ? I've seen quite a few servers in place and never felt the need to crossmix those two servers daemons with their config files. I've also thought that httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB implies httpd talking to mysqld .
Because that's the file mysql clients read their settings too :-( ex: [client] user=mysql_owner socket=/path/to/datadir/mysql/mysql.sock ... http://dev.mysql.com/doc/refman/5.0/en/option-files.html
On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
...
Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Humm.. /me puzzled Could someone please explain why would the web server (aka httpd)need read access to the configuration of the MySQL server ? I've seen quite a few servers in place and never felt the need to crossmix those two servers daemons with their config files. I've also thought that httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB implies httpd talking to mysqld .
Because that's the file mysql clients read their settings too :-( ex: [client] user=mysql_owner socket=/path/to/datadir/mysql/mysql.sock ... http://dev.mysql.com/doc/refman/5.0/en/option-files.html
Right, but we were talking about the httpd daemon, not about mysql clients (aka "Most MySQL programs can read startup options from option files ", quoting from the page of which you have given the URL ). Or maybe httpd is a mysql client, too, and it just happens that I have never met such a setup ? We are not talking about executing mysql command line tools from web pages, are we ?
Manuel
On Friday 2007-10-05 02:22:18 Manuel Wolfshant wrote:
On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
...
Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Humm.. /me puzzled Could someone please explain why would the web server (aka httpd)need read access to the configuration of the MySQL server ? I've seen quite a few servers in place and never felt the need to crossmix those two servers daemons with their config files. I've also thought that httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB implies httpd talking to mysqld .
Because that's the file mysql clients read their settings too :-( ex: [client] user=mysql_owner socket=/path/to/datadir/mysql/mysql.sock ... http://dev.mysql.com/doc/refman/5.0/en/option-files.html
Right, but we were talking about the httpd daemon, not about mysqlclients (aka "Most MySQL programs can read startup options from option files ", quoting from the page of which you have given the URL ). Or maybe httpd is a mysql client, too, and it just happens that I have never met such a setup ? We are not talking about executing mysql command line tools from web pages, are we ?
No, I was not talking about apache executing mysql.
I though libmysqlclient.so.15 reads /etc/my.cnf (strings libmysqlclient.so.15), but it seems it is configurable (from php.net comments). I tested with # inotifywait /etc/my.cnf on FC7/FC8t3, but restarting apache or running php scripts that access the DB shows no access. I'm almost sure I used this a year ago to change the default encoding, but now it does not work this way any more.
In short, sorry, httpd here does not access /etc/my.cnf.
Maybe some other module like mod_auth_mysql is responsible, but I have not tested it. Anthony, what modules do you use and do you have any script that executes mysql (the client) directly? What distribution, php, apache and mysql versions...?
On Monday 08 October 2007 10:07:50 am Doncho N. Gunchev wrote:
On Friday 2007-10-05 02:22:18 Manuel Wolfshant wrote:
On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
...
Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Humm.. /me puzzled Could someone please explain why would the web server (aka httpd)need read access to the configuration of the MySQL server ? I've seen quite a few servers in place and never felt the need to crossmix those two servers daemons with their config files. I've also thought that httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB implies httpd talking to mysqld .
Because that's the file mysql clients read their settings too :-( ex: [client] user=mysql_owner socket=/path/to/datadir/mysql/mysql.sock ... http://dev.mysql.com/doc/refman/5.0/en/option-files.html
Right, but we were talking about the httpd daemon, not about mysqlclients (aka "Most MySQL programs can read startup options from option files ", quoting from the page of which you have given the URL ). Or maybe httpd is a mysql client, too, and it just happens that I have never met such a setup ? We are not talking about executing mysql command line tools from web pages, are we ?
No, I was not talking about apache executing mysql.
I though libmysqlclient.so.15 reads /etc/my.cnf (strings libmysqlclient.so.15), but it seems it is configurable (from php.net comments). I tested with # inotifywait /etc/my.cnf on FC7/FC8t3, but restarting apache or running php scripts that access the DB shows no access. I'm almost sure I used this a year ago to change the default encoding, but now it does not work this way any more.
In short, sorry, httpd here does not access /etc/my.cnf.
Maybe some other module like mod_auth_mysql is responsible, but I have not tested it. Anthony, what modules do you use and do you have any script that executes mysql (the client) directly? What distribution, php, apache and mysql versions...?
fedora 7 httpd-2.2.6-1.fc7 php-5.2.4-1.fc7 mysql-server-5.0.45-1.fc7
Loaded Modules: mod_python.c, mod_ssl.c, mod_php5.c, mod_perl.c, mod_cgi.c, mod_suexec.c, mod_rewrite.c, mod_alias.c, mod_userdir.c, mod_speling.c, mod_actions.c, mod_dir.c, mod_negotiation.c, mod_vhost_alias.c, mod_dav_fs.c, mod_info.c, mod_autoindex.c, mod_status.c, mod_dav.c, mod_mime.c, mod_setenvif.c, mod_usertrack.c, mod_headers.c, mod_deflate.c, mod_expires.c, mod_mime_magic.c, mod_ext_filter.c, mod_env.c, mod_logio.c, mod_log_config.c, mod_include.c, mod_authnz_ldap.c, util_ldap.c, mod_authz_default.c, mod_authz_dbm.c, mod_authz_groupfile.c, mod_authz_owner.c, mod_authz_user.c, mod_authz_host.c, mod_authn_default.c, mod_authn_dbm.c, mod_authn_anon.c, mod_authn_alias.c, mod_authn_file.c, mod_auth_digest.c, mod_auth_basic.c, mod_so.c, http_core.c, prefork.c, core.c
Server Settings Server Version: Apache/2.2.6 (Unix) DAV/2 PHP/5.2.4 mod_ssl/2.2.6 OpenSSL/0.9.8b mod_python/3.3.1 Python/2.5 mod_perl/2.0.3 Perl/v5.8.8
selinux@lists.fedoraproject.org
-
Anthony Joseph Messina -
Daniel J Walsh -
Doncho N. Gunchev -
Manuel Wolfshant