What is SELinux Context
When SELinux is enforced in the system, it checks for rules on which process can access which files, directories, and ports. Every file, process, directory, and the port has a special security label known as an SELinux context, which is a name used to determine whether a process can access a file, directory, or port. By default, the policy does not allow any interaction unless an explicit rule grants access.
SELinux labels have different contexts: user, role, type, and sensitivity. Most of the Linux commands have the -Z option to display SELinux contexts. For example, ps, ls, cp, and mkdir all use the -Z option to display or set SELinux contexts of a file, directory, process, or port.
The MySQL server reads from and writes to various files if the SELinux context is not set correctly on these files the mysqld process may be blocked from accessing the files. In some cases, this may stop mysqld from logging errors.
How to list the current MySQL contexts
You can list the current contexts using:
# semanage fcontext -l | grep -i mysql
How to set the data directory context
The default location for the data directory is /var/lib/mysql/, the SELinux context used is mysqld_db_t. If you edit the configuration file to use a different location for the data directory, or any of the files normally in the data directory (e.g. the binary logs) you may need to set the context for the new location using
# semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?" # restorecon -Rv /path/to/my/custom/datadir
# semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?" # restorecon -Rv /path/to/my/custom/logdir
How to set the error log file context
The default location for RedHat RPMs is /var/log/mysqld.log, the SELinux context used is mysqld_log_t. If you edit the configuration file to use a different location you may need to set the context for the new location using:
# semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log" # restorecon -Rv /path/to/my/custom/error.log
How to set the PID file context
The default location for the PID file is /var/run/mysqld/mysqld.pid, the SELinux context used is mysqld_var_run_t. If you edit the configuration file to use a different location you may need to set the context for the new location using:
# semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?" # restorecon -Rv /path/to/my/custom/pidfile/directory
How to set the unix-domain socket context
The default location for the unix-domain socket is /var/lib/mysql/mysql.sock, the SELinux context used is mysqld_var_run_t. If you edit the configuration file to use a different location you may need to set the context for the new location using:
# semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql.sock" # restorecon -Rv /path/to/my/custom/mysql.sock
How to set the TCP port context
The default TCP port is 3306, the SELinux context used is mysqld_port_t. If you edit the configuration file to use a different TCP port, or you enable Group Replication which uses an additional port (typically port 13306) you may need to set the context for the new port using:
# semanage port -a -t mysqld_port_t -p tcp 13306 # restorecon
How to set the secure_file_priv directory context
For MySQL versions since 5.5.53, 5.6.34 and 5.7.16. Installing the server RPM creates a directory /var/lib/mysql-files/, but does not set the SELinux context on this directory. This directory is intended to be used for operations such as ‘SELECT … INTO OUTFILE‘. If you enable using this directory by setting secure_file_priv, you may need to set the context using:
# semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?" # restorecon -Rv /var/lib/mysql-files
If you set this to a new location, you will need to edit the path. For more information about this variable, please see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv. For security, this directory should never be within the data directory.
Required Tools
The semanage binary is part of the policycoreutils-python package:
# yum install policycoreutils-python
To use semanage with early versions of RHEL 6 with python 2.6, you may need to install a backport of the OrderedDict python collection module using python-pip from the EPEL repository.
Install the EPEL repository:
# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/$(uname -m)/epel-release-6-8.noarch.rpm
Install python-pip:
# yum install python-pip
If installing python-pip returns this error:
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again
you may need to update your SSL CA certificates using:
# yum --disablerepo=epel -y update ca-certificates