I’m running Matomo on a CentOS 7.9 machine and would like to keep SELinux in Enforcing mode. I’ve configured other required policies like allowing httpd to send mail, connect to the db and write to some directories. However, I still have one issue and was hoping someone here would know something about it.
The problem are these temporary .csv files the Matomo is creating in matomo/tmp/assets/ directory, which the database then wants to read. Below is an example snippet from the audit log, but there are other types of files as well, like matomo_archive_blobs and matomo_archive_invalidations.
time->Fri Nov 18 13:46:30 2022
...comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1668771990.865:13125): avc: denied { getattr } for pid=1356 comm="mysqld" path="/var/www/html/piwik/tmp/assets/matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
----
time->Fri Nov 18 13:46:30 2022
...comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1668771990.865:13126): avc: denied { open } for pid=1356 comm="mysqld" path="/var/www/html/piwik/tmp/assets/matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668771990.865:13126): avc: denied { read } for pid=1356 comm="mysqld" name="matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
I’m guessing this has to do with the LOAD DATA INFILE capability of the database which was marked as optional in the installation guide. I’m also guessing that it’s the Matomo app (i.e. httpd) that’s creating these temporary .csv files, so with the default SELinux policy, they are necessarily going to get created with the httpd_sys_rw_content_t type, which the mysqld_t domain is not allowed to touch.
So one (the only?) way of solving this would be to compile a new policy where processes marked as mysqld_t would be granted the getattr, open, and read permissions for files of type httpd_sys_rw_content_t, but I’d like to know if anyone knows of other, simpler ways to deal with this? That kind of policy would also be pretty broad when considering the specificity of the actions being done here.