SELinux issue related to temporary csv-files and mysqld

[hkotkanen]

I’m running Matomo on a CentOS 7.9 machine and would like to keep SELinux in Enforcing mode. I’ve configured other required policies like allowing httpd to send mail, connect to the db and write to some directories. However, I still have one issue:

The problem are these temporary .csv files the Matomo is creating in matomo/tmp/assets/ directory (the path in the messages below is different for legacy reasons), which the database then wants to read. Below is an example snippet from the audit log, but there are other types of files as well causing the same kinds of messages, like matomo_archive_blobs and matomo_archive_invalidations.

time->Fri Nov 18 13:46:30 2022
...comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1668771990.865:13125): avc:  denied  { getattr } for  pid=1356 comm="mysqld" path="/var/www/html/piwik/tmp/assets/matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
----
time->Fri Nov 18 13:46:30 2022
...comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1668771990.865:13126): avc:  denied  { open } for  pid=1356 comm="mysqld" path="/var/www/html/piwik/tmp/assets/matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668771990.865:13126): avc:  denied  { read } for  pid=1356 comm="mysqld" name="matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1

I’m guessing this has to do with the LOAD DATA INFILE capability of the database which was marked as optional in the installation guide. I’m also guessing that it’s the Matomo app (i.e. httpd) that’s creating these temporary .csv files, which in my understanding means that they are necessarily going to get created with the httpd_sys_rw_content_t type, which the mysqld_t domain is not allowed to touch by default.

So one (the only?) way of solving this that I can think of would be to compile a new policy where processes marked as mysqld_t would be granted the getattr, open, and read permissions for files of type httpd_sys_rw_content_t, but I’d like to know if anyone knows of other, simpler ways to deal with this? Having to compile a new SELinux policy is a bit of a hassle, and also that kind of policy would be quite broad when considering the specificity of the actions being done here.

I thought it would be best to submit this is a documentation issue as it could be addressed in the installation guide but feel free to shuffle it around if another category would be more suitable.

[bx80]

Hi @hkotkanen, thanks for reaching out on this one.

You are correct, the temporary .csv files are being created for LOAD DATA INFILE. Other than creating a new SELinux policy to allow the mysql process to access these files, the only other option I can see would be to disable use of LOAD DATA INFILE by adding enable_load_data_infile = 0 to the [General] section of config.ini.php which may or may not be a viable option for you depending on performance requirements.

I'll categorize this issue as a documentation update and assign it for prioritization. We should at least note in the installation guide that SELinux in enforcing mode will need policy changes in order for Matomo to work. A separate guide covering all SELinux changes required for Matomo installation would be even better. 🙂

[hkotkanen]

Thanks for responding! I can try to contribute: here are the SELinux operations I needed to get Matomo running under Enforcing mode (CentOS 7.9). This is only for normal operation - automatic updates will not work (probably best to e.g. semanage permissive -a httpd_t before the update and -d after it).

# Quick and dirty to make the whole directory writable. Probably should be more specific!
semanage fcontext --add --type httpd_sys_rw_content_t "/var/www/html/matomo/tmp(/.*)?"
restorecon -vR /var/www/html/matomo/tmp

# SELinux booleans needed
setsebool httpd_can_network_connect_db on
setsebool httpd_can_sendmail on  # at least when using "local mail function" / postfix

Then the custom policy module contents in file mysqld-read-httpd_sys_rw_content_t.te:

module mysqld-read-httpd_sys_rw_content_t 1.0;

require {
        type mysqld_t;
        type httpd_sys_rw_content_t;
        class file { getattr read open };
}

allow mysqld_t httpd_sys_rw_content_t:file { read open getattr };

Steps needed to compile and install the new policy (creates intermediate files):

# Might need to install prerequisites
#yum install libsemanage-static

# Turn module into a binary .mod -file
checkmodule -M -m -o mysqld-read-httpd_sys_rw_content_t.mod mysqld-read-httpd_sys_rw_content_t.te

# Package it into an installable .pp file
semodule_package -o mysqld-read-httpd_sys_rw_content_t.pp -m mysqld-read-httpd_sys_rw_content_t.mod

# Install module
semodule -i mysqld-read-httpd_sys_rw_content_t.pp

I thought I had looked everywhere but wouldn't you know it, only after writing all this I came across this old issue where @pizzarabe already gave pretty much identical instructions! Well, maybe it'll now end up in an installation guide that's a bit more easy to find.

[bx80]

Thanks for sharing @hkotkanen, that'll be really helpful when writing the guide :+1: It's also good to have confirmation that the required SELinux operations haven't changed much since the 2015 issue :slightly_smiling_face: