Re: SELinux denies httpd access to /etc/my.cnf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
> Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Anthony Messina wrote:
> >   
> >> I get the following in my logs, in permissive mode:
> >>
> >> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 
> >> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" 
> >> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 
> >> subj=root:system_r:httpd_t:s0 suid=48 tclass=file 
> >> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
...
> > Yes it should have the ability to read it.  The only reason there is a
> > type on this file is for database admins to be able to manage it.
> >
> > So  will update policy to allow http to read the file.
> >
> >   
>     Humm.. /me puzzled
>     Could someone please explain why would the web server (aka httpd) 
> need read access to the configuration of the MySQL server  ? I've seen 
> quite a few servers in place and never felt the need to crossmix those 
> two servers daemons with their config files. I've also thought that 
> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and  httpd + DB 
> implies httpd talking to mysqld .

Because that's the file mysql clients read their settings too :-(
ex:
[client]
user=mysql_owner
socket=/path/to/datadir/mysql/mysql.sock
...
http://dev.mysql.com/doc/refman/5.0/en/option-files.html

-- 
Regards,
  Doncho N. Gunchev, GPG key ID: 0EF40B9E, Key server: pgp.mit.edu

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux