Bug 728537 - SELinux is preventing /usr/sbin/httpd from 'read' accesses on the lnk_file /var/lib/mysql.
Summary: SELinux is preventing /usr/sbin/httpd from 'read' accesses on the lnk_file /v...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ac9d9aec126...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-05 13:02 UTC by Valentin
Modified: 2019-09-21 19:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-21 16:45:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Valentin 2011-08-05 13:02:36 UTC 
SELinux is preventing /usr/sbin/httpd from 'read' accesses on the lnk_file /var/lib/mysql.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed read access on the mysql lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:mysqld_db_t:s0
Target Objects                /var/lib/mysql [ lnk_file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.17-10.fc15.1
Target RPM Packages           mysql-server-5.5.14-2.fc15
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.i686.PAE #1 SMP Fri Jul
                              29 18:47:58 UTC 2011 i686 i686
Alert Count                   11
First Seen                    Fri 05 Aug 2011 03:35:19 PM EEST
Last Seen                     Fri 05 Aug 2011 03:54:38 PM EEST
Local ID                      aa9b9ca8-70ae-44ea-a8bf-9b419c650f70

Raw Audit Messages
type=AVC msg=audit(1312548878.368:148): avc:  denied  { read } for  pid=9167 comm="httpd" name="mysql" dev=sda1 ino=1759 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1312548878.368:148): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bff68540 a2=a75e4dc a3=0 items=0 ppid=9159 pid=9167 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,mysqld_db_t,lnk_file,read

audit2allow

#============= httpd_t ==============
allow httpd_t mysqld_db_t:lnk_file read;

audit2allow -R

#============= httpd_t ==============
allow httpd_t mysqld_db_t:lnk_file read;
Comment 1 Daniel Walsh 2011-08-05 14:18:14 UTC 
Why is apache trying to read a link file mysql?
Comment 2 Alex 2019-09-21 19:53:26 UTC 
Apache needs to read MySQL files, because when PHP module is installed it can connect to database during Web Request.

I guess during establishing of a database connection (when MySQL server is started using socket) HTTPD tries to access that socket file.


Thank you.
Note You need to log in before you can comment on or make changes to this bug.