On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote:
On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote:
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anthony Messina wrote:
I get the following in my logs, in permissive mode:
avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48
exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf"
pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48
subj=root:system_r:httpd_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48
...
Yes it should have the ability to read it. The only reason there is a
type on this file is for database admins to be able to manage it.
So will update policy to allow http to read the file.
Humm.. /me puzzled
Could someone please explain why would the web server (aka httpd)
need read access to the configuration of the MySQL server ? I've seen
quite a few servers in place and never felt the need to crossmix those
two servers daemons with their config files. I've also thought that
httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB
implies httpd talking to mysqld .
Because that's the file mysql clients read their settings too :-(
ex:
[client]
user=mysql_owner
socket=/path/to/datadir/mysql/mysql.sock
...
http://dev.mysql.com/doc/refman/5.0/en/option-files.html
Right, but we were talking about the httpd daemon, not about mysql
clients (aka "Most MySQL programs can read startup options from option
files ", quoting from the page of which you have given the URL ). Or
maybe httpd is a mysql client, too, and it just happens that I have
never met such a setup ? We are not talking about executing mysql
command line tools from web pages, are we ?
Manuel
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
