PHP script and mySQL need r/w access to the same file, but how?

Support for security such as Firewalls and securing linux
Post Reply
80251
Posts: 10
Joined: 2013/01/10 07:54:34

PHP script and mySQL need r/w access to the same file, but how?

Post by 80251 » 2013/03/20 06:45:02

Ugh,

The problems I'm having here are entirely down to SELinux and not any file/directory permissions or file/directory ownership issues.

OK, I have a mySQL stored procedure that creates a CSV output file. To create this output file I need to delete the previous version via a PHP
script. I've figured out I can allow SELinux mySQLd r/w access to a directory by setting the directory to be of type var_lib_t. Unfortunately,
now my PHP script can read the files, but not delete (i.e. unlink) them because SELinux throws an AVC error.

So it seems to me I need a directory that has two different security domains simultaneously (var_lib_t and httpd_sys_content_t) in order
to be able to delete the old CSV file and allow mySQLd to create the new one!

Are there any security domains such that httpd and mySQLd can simultaneously have r/w access?
:-?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

PHP script and mySQL need r/w access to the same file, but h

Post by TrevorH » 2013/03/20 12:43:46

Try public_content_rw_t.

80251
Posts: 10
Joined: 2013/01/10 07:54:34

Re: PHP script and mySQL need r/w access to the same file, but how?

Post by 80251 » 2013/03/20 20:44:06

[quote]
TrevorH wrote:
Try public_content_rw_t.[/quote]

I did try this, and while mysqld can now write the CSV files out to the directory (but only after performing
a setsebool -P mysqld_disable_trans=1) httpd throws an error whenever any PHP scripts try to access mysql:

Warning: mysqli::mysqli() [function.mysqli-mysqli]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13)

Using audit2allow, I have created a SELinux policy that now seems to have resolved the above mysql.sock issue:

I set the directory to public_content_rw_t

I did a setsebool -P mysqld_disable_trans=1

I tried to connect to the mysql server via my PHP scripts

I extracted the appropriate httpd mysqli errors from the SELinux log created in var/log/audit/audit.log

used audit2allow to create a SELinux policy

used semodule to make the policy active

However, now SELinux is denying my PHP script unlink functionality:

[function.unlink]: Permission denied in /var/www/html/SGEDownload/SGEDownloads.php on line 166
Could not delete file /sqldata/SGEReport-TEMP-FILES/SGE-12MonthAvgWaitTime.txt

I think there may be another boolean that allows httpd write access to other directories.

Post Reply