Here's the setup: I let MySQL dump tables to /tmp
(they just contain numbers, no real data) for PHP to pick up and process. After this, the temp files are no longer needed, so I delete them with PHP (unlink
).
Of course, SELinux does not like this. I can setup /tmp
fine for MySQL to read/write, and PHP to read/write from it, but when PHP wants to delete the file MySQL created, it cannot. I thought it might have to do with the 'sticky bit' on /tmp
, but that makes no difference.
I can't really find a proper solution for this problem, most solutions address the issue of making directories readable/writable to PHP (or, the httpd user that is), not deleting someone else's files.
BTW: if I turn SELinux off, PHP will delete the files without issue. So it is definitely something I have to change SELinux-wise, but what would be the best approach?
Best Answer
As per my comment: I solved it by leveraging
audit2allow
./var/log/audit/audit.log
for the offending rule (I used the filename of the file MySQL had written)audit2allow
and review it:grep {offending rule name} /var/log/audit/audit.log | audit2allow -a
allow httpd_t mysqld_tmp_t:file unlink;
from step 2, so that looked exactly like what I was after. With that result, I created a new module:grep {offending rule name} /var/log/audit/audit.log | audit2allow -a -M tmp
. This generates a file calledtmp.pp
.semodule -i tmp.pp