Hi all, I have a question about mysql relocation.
I already created an equivalency rule such as "semanage fcontext --list -C" returns the following: SELinux Local fcontext Equivalence /mnt/lv_data/var/lib/mysql = /var/lib/mysql
Then I created a symlink in /var/lib: system_u:object_r:mysqld_db_t:s0 26 May 17 14:39 mysql -> /mnt/lv_data/var/lib/mysql
However, httpd/php can not connect to the database. The following message is logged in audit.log: type=AVC msg=audit(1684352064.936:232): avc: denied { read } for pid=8558 comm="httpd" name="mysql" dev="sda4" ino=147925 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
My understanding is that httpd can not read the symlink. I expected to find a boolean to allow this kind of access, to no avail.
So my question is: can I allow httpd symlink access without manually modifying the actual policy (ie: using audit2allow and the likes)?
Thanks.
What is the connection between httpd and mariadb server? Is it Unix socket file? Or TCP socket?
In the case of TCP socket (port + host), it looks weird for httpd going to read /var/lib/mysql/
Gionatan Danti a écrit :
Hi all, I have a question about mysql relocation.
I already created an equivalency rule such as "semanage fcontext --list -C" returns the following: SELinux Local fcontext Equivalence /mnt/lv_data/var/lib/mysql = /var/lib/mysql
Then I created a symlink in /var/lib: system_u:object_r:mysqld_db_t:s0 26 May 17 14:39 mysql -> /mnt/lv_data/var/lib/mysql
However, httpd/php can not connect to the database. The following message is logged in audit.log: type=AVC msg=audit(1684352064.936:232): avc: denied { read } for pid=8558 comm="httpd" name="mysql" dev="sda4" ino=147925 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
My understanding is that httpd can not read the symlink. I expected to find a boolean to allow this kind of access, to no avail.
So my question is: can I allow httpd symlink access without manually modifying the actual policy (ie: using audit2allow and the likes)?
Thanks.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Il 2023-05-18 09:14 Casper ha scritto:
In the case of TCP socket (port + host), it looks weird for httpd going to read /var/lib/mysql/
Hi Casper, by default php uses unix socket for localhost connection, hence the error reported.
Thanks.
Hi Gionatan,
On Wed, May 17, 2023 at 10:10 PM Gionatan Danti g.danti@assyoma.it wrote:
Hi all, I have a question about mysql relocation.
I already created an equivalency rule such as "semanage fcontext --list -C" returns the following: SELinux Local fcontext Equivalence /mnt/lv_data/var/lib/mysql = /var/lib/mysql
This is correct.
Then I created a symlink in /var/lib: system_u:object_r:mysqld_db_t:s0 26 May 17 14:39 mysql -> /mnt/lv_data/var/lib/mysql
However, httpd/php can not connect to the database. The following message is logged in audit.log: type=AVC msg=audit(1684352064.936:232): avc: denied { read } for pid=8558 comm="httpd" name="mysql" dev="sda4" ino=147925 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
My understanding is that httpd can not read the symlink. I expected to find a boolean to allow this kind of access, to no avail.
httpd can only read and write mysql sockets, so far there was no need to allow other interactions.
So my question is: can I allow httpd symlink access without manually modifying the actual policy (ie: using audit2allow and the likes)?
You can change the value of datadir in mysql configuration. Otherwise, as in all such changes, you need to create a local policy to back that change. It can be as easy as
f38# cat local_mysqld_symlink.cil (allow httpd_t mysqld_db_t (lnk_file (getattr read))) f38# semodule -i local_mysqld_symlink.cil
Thanks.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8 _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Il 2023-05-18 10:39 Zdenek Pytela ha scritto:
httpd can only read and write mysql sockets, so far there was no need to allow other interactions.
Hi Zdenek, ok, so it is not an error or misconfiguration on my part.
You can change the value of datadir in mysql configuration.
Yeah, I have taken this approach.
Otherwise, as in all such changes, you need to create a local policy to back that change. It can be as easy as
f38# cat local_mysqld_symlink.cil (allow httpd_t mysqld_db_t (lnk_file (getattr read))) f38# semodule -i local_mysqld_symlink.cil
When I need to do local policy customizations I generally run audit2allow, whose output is (if I am not mistaken) in different format than cil. There are any documentations on both format types and their differences?
Thanks.
selinux@lists.fedoraproject.org