Klaus Weidenbach
SELinux and load data infile
#SELinux should be simple actually. It is just about labels. o_O But today I am again totally stuck and don't get along. For AppArmor I have found solutions, there is even one documented at Piwik's FAQ http://piwik.org/faq/troubleshooting/#faq_194, but I can not find any satisfying solution for SELinux. I have tried several search engines, but somehow I can not find anything that solves this problem.

Here is my problem:
Try #1: LOAD DATA INFILE : SQLSTATE[HY000]: General error: 13 Can't get stat of '/srv/.../piwik/tmp/assets/piwik_option-29b74e562dbd45071d2667ee8774bdfd.csv' (Errcode: 13)
This should be a common task I think, why I can not find anything appropriate? Either httpd is complaining or mysqld complains it can not access the required files.

audit.log show this:
type=AVC msg=audit(1390235950.375:12795): avc:  denied  { getattr } for  pid=43196 comm="mysqld" path="/srv/.../piwik/tmp/assets" dev=dm-3 ino=1850123 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1390235950.375:12795): arch=c000003e syscall=6 success=no exit=-13 a0=7fed64073930 a1=7fed64073860 a2=7fed64073860 a3=fffffffffffffffd items=0 ppid=2669 pid=43196 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=5 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1390235950.375:12796): avc:  denied  { search } for  pid=43196 comm="mysqld" name="assets" dev=dm-3 ino=1850123 scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1390235950.375:12796): arch=c000003e syscall=4 success=no exit=-13 a0=7fed64074fc0 a1=7fed64074eb0 a2=7fed64074eb0 a3=fffffffffffffffd items=0 ppid=2669 pid=43196 auid=0 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=5 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0 key=(null)
audit2allow gives me this solution:
\#============= mysqld_t ==============
allow mysqld_t httpd_sys_rw_content_t:dir { getattr search };

But this solution seems to grant way too much permissions for mysqld. I only want to allow it for this single folder, not all folders that httpd has rw permissions.
#faq_194 #=============