Linux – SELinux: how to allow httpd to delete temp files from MySQL

centosfile-permissionslinuxselinux

Here's the setup: I let MySQL dump tables to /tmp (they just contain numbers, no real data) for PHP to pick up and process. After this, the temp files are no longer needed, so I delete them with PHP (unlink).

Of course, SELinux does not like this. I can setup /tmp fine for MySQL to read/write, and PHP to read/write from it, but when PHP wants to delete the file MySQL created, it cannot. I thought it might have to do with the 'sticky bit' on /tmp, but that makes no difference.

I can't really find a proper solution for this problem, most solutions address the issue of making directories readable/writable to PHP (or, the httpd user that is), not deleting someone else's files.

BTW: if I turn SELinux off, PHP will delete the files without issue. So it is definitely something I have to change SELinux-wise, but what would be the best approach?

Best Answer

As per my comment: I solved it by leveraging audit2allow.

Scan /var/log/audit/audit.log for the offending rule (I used the filename of the file MySQL had written)
Pipe the rule to audit2allow and review it: grep {offending rule name} /var/log/audit/audit.log | audit2allow -a
I got allow httpd_t mysqld_tmp_t:file unlink; from step 2, so that looked exactly like what I was after. With that result, I created a new module: grep {offending rule name} /var/log/audit/audit.log | audit2allow -a -M tmp. This generates a file called tmp.pp.
Import the module file: semodule -i tmp.pp

Related Solutions

MySQL tmpdir on /dev/shm with SELinux

SELinux is preventing mysqld (mysqld_t) "getattr" to /dev/shm (tmpfs_t).

This means, that SELinux deny access to /dev/shm dir, which is a parent of /dev/shm/mysqltmp.

ls -lZd /tmp/
drwxrwxrwt 3 system_u:object_r:tmp_t:s0
ls -lZd /dev/shm
drwxrwxrwt  root root system_u:object_r:tmpfs_t:s0

You have 3 options:

1) Change /dev/shm type label from tmpfs_t to tmp_t

2) Run SELinux in permissive mode, and collect all denies in /var/log/audit/audit.log

tail -n 0 -f /var/log/audit/audit.log | audit2allow -m myMySQL -o myMySQL.te
checkmodule -M -m myMySQL.te -o myMySQL.mod
semodule_package -m myMySQL.mod -o myMySQL.pp

You should check, if myMySQL.te contains only necessary allows. Finally, you load module into kernel semodule -i myMySQL.pp

3) Disable SELinux protection for MySQL setsebool -P mysqld_disable_trans=on

Mysql – How to allow MySQL connections through SELinux

To check SELinux

sestatus

To see what flags are set on httpd processes

getsebool -a | grep httpd

To allow Apache to connect to remote database through SELinux

setsebool httpd_can_network_connect_db 1

Use -P option makes the change permanent. Without this option, the boolean would be reset to 0 at reboot.

setsebool -P httpd_can_network_connect_db 1

Best Answer

Related Solutions

MySQL tmpdir on /dev/shm with SELinux

Mysql – How to allow MySQL connections through SELinux

Related Topic