Ugh,
The problems I'm having here are entirely down to SELinux and not any file/directory permissions or file/directory ownership issues.
OK, I have a mySQL stored procedure that creates a CSV output file. To create this output file I need to delete the previous version via a PHP
script. I've figured out I can allow SELinux mySQLd r/w access to a directory by setting the directory to be of type var_lib_t. Unfortunately,
now my PHP script can read the files, but not delete (i.e. unlink) them because SELinux throws an AVC error.
So it seems to me I need a directory that has two different security domains simultaneously (var_lib_t and httpd_sys_content_t) in order
to be able to delete the old CSV file and allow mySQLd to create the new one!
Are there any security domains such that httpd and mySQLd can simultaneously have r/w access?
:-?
PHP script and mySQL need r/w access to the same file, but how?
PHP script and mySQL need r/w access to the same file, but h
Try public_content_rw_t.
Re: PHP script and mySQL need r/w access to the same file, but how?
[quote]
TrevorH wrote:
Try public_content_rw_t.[/quote]
I did try this, and while mysqld can now write the CSV files out to the directory (but only after performing
a setsebool -P mysqld_disable_trans=1) httpd throws an error whenever any PHP scripts try to access mysql:
Warning: mysqli::mysqli() [function.mysqli-mysqli]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)
Using audit2allow, I have created a SELinux policy that now seems to have resolved the above mysql.sock issue:
I set the directory to public_content_rw_t
I did a setsebool -P mysqld_disable_trans=1
I tried to connect to the mysql server via my PHP scripts
I extracted the appropriate httpd mysqli errors from the SELinux log created in var/log/audit/audit.log
used audit2allow to create a SELinux policy
used semodule to make the policy active
However, now SELinux is denying my PHP script unlink functionality:
[function.unlink]: Permission denied in /var/www/html/SGEDownload/SGEDownloads.php on line 166
Could not delete file /sqldata/SGEReport-TEMP-FILES/SGE-12MonthAvgWaitTime.txt
I think there may be another boolean that allows httpd write access to other directories.
TrevorH wrote:
Try public_content_rw_t.[/quote]
I did try this, and while mysqld can now write the CSV files out to the directory (but only after performing
a setsebool -P mysqld_disable_trans=1) httpd throws an error whenever any PHP scripts try to access mysql:
Warning: mysqli::mysqli() [function.mysqli-mysqli]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)
Using audit2allow, I have created a SELinux policy that now seems to have resolved the above mysql.sock issue:
I set the directory to public_content_rw_t
I did a setsebool -P mysqld_disable_trans=1
I tried to connect to the mysql server via my PHP scripts
I extracted the appropriate httpd mysqli errors from the SELinux log created in var/log/audit/audit.log
used audit2allow to create a SELinux policy
used semodule to make the policy active
However, now SELinux is denying my PHP script unlink functionality:
[function.unlink]: Permission denied in /var/www/html/SGEDownload/SGEDownloads.php on line 166
Could not delete file /sqldata/SGEReport-TEMP-FILES/SGE-12MonthAvgWaitTime.txt
I think there may be another boolean that allows httpd write access to other directories.