I have a PHP script that runs every hour to clean up a table. (Location: /var/www/example.php)
<?php
$host = "mysql:host=localhost; dbname=xxx";
$user = "xxx";
$pass = "xxx";
$pdo = new PDO($host, $user, $pass);
$sql_count = "SELECT * FROM xxx WHERE (UNIX_TIMESTAMP() - 21600) > last_activity AND (name LIKE 'xxx%' OR name LIKE '%xxx%' OR name LIKE '%xxx%' OR name LIKE '%xxx%')";
$sql_del = "DELETE FROM xxx WHERE (UNIX_TIMESTAMP() - 21600) > last_activity AND (name LIKE 'xxx%' OR name LIKE '%xxx%' OR name LIKE '%xxx%' OR name LIKE '%xxx%')";
$rowset = $pdo -> query($sql_count);
$row = $rowset -> fetch(PDO::FETCH_ASSOC);
$k = 0;
while($row == true)
{
$k++;
$row = $rowset -> fetch(PDO::FETCH_ASSOC);
}
echo "Deleted entries: ".$k."\n";
$rowset = $pdo -> query($sql_del);
$pdo = null;
?>
When I run this PHP script (cronjob), it works fine, but I have this apparmor error message:
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/php7.0" name="/" pid=7982 comm="php7.0" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
This is my Apparmor profile:
# Last Modified: Mon Oct 15 05:39:16 2018
#include <tunables/global>
/usr/bin/php7.0 flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/php>
capability dac_override,
/lib/x86_64-linux-gnu/ld-*.so mr,
/media/nfsfolder/** rw,
/usr/bin/php7.0 mr,
/var/www/folder1/** rw,
/var/www/folder2/** rw,
/var/www/example.php r,
/var/www/phpmyadmin/** mrw,
}
I dont want to give full access to the root directory, so It would be nice, if anybody see the problem and can help.
