View Issue Details

IDProjectCategoryView StatusLast Update
0013254CentOS-7selinux-policypublic2019-09-21 19:42
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0013254: SELinux is preventing /usr/sbin/httpd from 'read' accesses on the lnk_file /var/lib/mysql/mysql.sock.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/httpd from 'read' accesses on the lnk_file /var/lib/mysql/mysql.sock.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label.
/var/lib/mysql/mysql.sock default label should be user_home_t.
Then you can run restorecon.
# /sbin/restorecon -v /var/lib/mysql/mysql.sock

***** Plugin catchall (1.49 confidence) suggests **************************

If you believe that httpd should be allowed read access on the mysql.sock lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c '/usr/sbin/httpd' --raw | audit2allow -M my-usrsbinhttpd
# semodule -i my-usrsbinhttpd.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:mysqld_db_t:s0
Target Objects /var/lib/mysql/mysql.sock [ lnk_file ]
Source /usr/sbin/httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host (removed)
Source RPM Packages httpd-2.4.6-45.el7.centos.4.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.16.1.el7.x86_64 #1 SMP
                              Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64
Alert Count 14
First Seen 2017-05-14 10:59:23 IST
Last Seen 2017-05-14 11:07:27 IST
Local ID caa80a8c-3259-4812-8e1b-b3a860a13d70

Raw Audit Messages
type=AVC msg=audit(1494740247.109:1593): avc: denied { read } for pid=7528 comm="/usr/sbin/httpd" name="mysql" dev="dm-0" ino=100663415 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mysqld_db_t:s0 tclass=lnk_file

type=SYSCALL msg=audit(1494740247.109:1593): arch=x86_64 syscall=connect success=no exit=EACCES a0=12 a1=7fff83780080 a2=6e a3=0 items=1 ppid=7371 pid=7528 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=/usr/sbin/httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

type=CWD msg=audit(1494740247.109:1593): cwd=/usr/share/phpMyAdmin

type=PATH msg=audit(1494740247.109:1593): item=0 name=/var/lib/mysql/mysql.sock objtype=UNKNOWN

Hash: /usr/sbin/httpd,httpd_t,mysqld_db_t,lnk_file,read

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.16.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2019-09-21 19:42

reporter   ~0035182

I can confirm, that this is still happening.

Reproduction steps:

1. install MySQL 5.7 (maybe MySQL 8.0 also has same issue) from an Oracle repository
2. install HTTPD
3. install PHP 7.2 from a REMI repo + MySQLi module
4. in the /var/www/html folder create PHP file, that will try to connect to a database

You should get "Permission Denied" error, when using correct MySQL user/password

These commands might work for MariaDB, but they don't work for MySQL:

1. setsebool -P httpd_can_network_connect 1
2. setsebool -P httpd_can_network_connect_db 1

Issue History

Date Modified Username Field Change
2017-05-14 05:43 rakesh4osdd New Issue
2019-09-21 19:42 aik099 Note Added: 0035182