What is the connection between httpd and mariadb server? Is it Unix
socket file? Or TCP socket?
In the case of TCP socket (port + host), it looks weird for httpd
going to read /var/lib/mysql/
Gionatan Danti a écrit :
> Hi all,
> I have a question about mysql relocation.
>
> I already created an equivalency rule such as "semanage fcontext --list -C"
> returns the following:
> SELinux Local fcontext Equivalence
> /mnt/lv_data/var/lib/mysql = /var/lib/mysql
>
> Then I created a symlink in /var/lib:
> system_u:object_r:mysqld_db_t:s0 26 May 17 14:39 mysql ->
> /mnt/lv_data/var/lib/mysql
>
> However, httpd/php can not connect to the database. The following message is
> logged in audit.log:
> type=AVC msg=audit(1684352064.936:232): avc: denied { read } for pid=8558
> comm="httpd" name="mysql" dev="sda4" ino=147925
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0
>
> My understanding is that httpd can not read the symlink. I expected to find
> a boolean to allow this kind of access, to no avail.
>
> So my question is: can I allow httpd symlink access without manually
> modifying the actual policy (ie: using audit2allow and the likes)?
>
> Thanks.
>
> --
> Danti Gionatan
> Supporto Tecnico
> Assyoma S.r.l. - www.assyoma.it
> email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
> GPG public key ID: FF5F32A8
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org
CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der
Jabber/XMPP Messaging: casper@xxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
