Re: Relocating mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Gionatan,

On Wed, May 17, 2023 at 10:10 PM Gionatan Danti <g.danti@xxxxxxxxxx> wrote:
Hi all,
I have a question about mysql relocation.

I already created an equivalency rule such as "semanage fcontext --list
-C" returns the following:
SELinux Local fcontext Equivalence
/mnt/lv_data/var/lib/mysql = /var/lib/mysql
This is correct.
 

Then I created a symlink in /var/lib:
system_u:object_r:mysqld_db_t:s0    26 May 17 14:39 mysql ->
/mnt/lv_data/var/lib/mysql

However, httpd/php can not connect to the database. The following
message is logged in audit.log:
type=AVC msg=audit(1684352064.936:232): avc:  denied  { read } for 
pid=8558 comm="httpd" name="mysql" dev="sda4" ino=147925
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file permissive=0

My understanding is that httpd can not read the symlink. I expected to
find a boolean to allow this kind of access, to no avail.
httpd can only read and write mysql sockets, so far there was no need to allow other interactions.
 
So my question is: can I allow httpd symlink access without manually
modifying the actual policy (ie: using audit2allow and the likes)?
You can change the value of datadir in mysql configuration.
Otherwise, as in all such changes, you need to create a local policy to back that change. It can be as easy as

f38# cat local_mysqld_symlink.cil
(allow httpd_t mysqld_db_t (lnk_file (getattr read)))
f38# semodule -i local_mysqld_symlink.cil
 

Thanks.

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti@xxxxxxxxxx - info@xxxxxxxxxx
GPG public key ID: FF5F32A8
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux