Klaus

SELinux and load data infile

 Mon, 20 Jan 2014 23:51:12 +0100 
#SELinux should be simple actually. It is just about labels. o_O But today I am again totally stuck and don't get along. For AppArmor I have found solutions, there is even one documented at Piwik's FAQ http://piwik.org/faq/troubleshooting/#faq_194, but I can not find any satisfying solution for SELinux. I have tried several search engines, but somehow I can not find anything that solves this problem.

Here is my problem:
Try #1: LOAD DATA INFILE : SQLSTATE[HY000]: General error: 13 Can't get stat of '/srv/.../piwik/tmp/assets/piwik_option-29b74e562dbd45071d2667ee8774bdfd.csv' (Errcode: 13)

This should be a common task I think, why I can not find anything appropriate? Either httpd is complaining or mysqld complains it can not access the required files.

audit.log show this:

type=AVC msg=audit(1390235950.375:12795): avc:  denied  { getattr } for  pid=43196 comm="mysqld" path="/srv/.../piwik/tmp/assets" dev=dm-3 ino=1850123 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1390235950.375:12795): arch=c000003e syscall=6 success=no exit=-13 a0=7fed64073930 a1=7fed64073860 a2=7fed64073860 a3=fffffffffffffffd items=0 ppid=2669 pid=43196 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=5 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1390235950.375:12796): avc:  denied  { search } for  pid=43196 comm="mysqld" name="assets" dev=dm-3 ino=1850123 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1390235950.375:12796): arch=c000003e syscall=4 success=no exit=-13 a0=7fed64074fc0 a1=7fed64074eb0 a2=7fed64074eb0 a3=fffffffffffffffd items=0 ppid=2669 pid=43196 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=5 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)

audit2allow gives me this solution:
\#============= mysqld_t ==============
allow mysqld_t httpd_sys_rw_content_t:dir { getattr search };

But this solution seems to grant way too much permissions for mysqld. I only want to allow it for this single folder, not all folders that httpd has rw permissions.
Mike Macgirvin
 Tue, 21 Jan 2014 01:26:59 +0100 last edited: Tue, 21 Jan 2014 01:27:00 +0100  
HYnnn is typically mysql server and iirc, errno 13 is permission denied (reported here as a stat() failure.

http://forum.piwik.org/read.php?2,101809,106342

Have a look on the page for SimonSimCity - there are some interesting addendums to that reply.
Klaus
 Fri, 24 Jan 2014 00:05:35 +0100 
LOAD DATA INFILE is working, that's configured correctly. I have read the Piwik forums also, but there are only solutions for ordinary permission problems or AppArmor, but nothing related to SELinux.
My problem is only caused by SELinux which prevents mysqld to access the files that are labeled for httpd_sys_rw_content_t by default. When I change it, so that the files are labeled for mysqld Apache complains it can not create the files anymore. :-(
Have read so much about SELinux now, but still no clue how to change it in a sane way. At least I have learned quite some other things that I should have done better and easier. ;-)
The solution provided by audit2allow fixes my problem, but I would like to restrict the permission only to this folder and not all folder labeled httpd_sys_rw_content_t, which I think is way too much.