• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to List and Set SELinux Context for MySQL Server

by admin

What is SELinux Context

When SELinux is enforced in the system, it checks for rules on which process can access which files, directories, and ports. Every file, process, directory, and the port has a special security label known as an SELinux context, which is a name used to determine whether a process can access a file, directory, or port. By default, the policy does not allow any interaction unless an explicit rule grants access.

SELinux labels have different contexts: user, role, type, and sensitivity. Most of the Linux commands have the -Z option to display SELinux contexts. For example, ps, ls, cp, and mkdir all use the -Z option to display or set SELinux contexts of a file, directory, process, or port.

The MySQL server reads from and writes to various files if the SELinux context is not set correctly on these files the mysqld process may be blocked from accessing the files. In some cases, this may stop mysqld from logging errors.

How to list the current MySQL contexts

You can list the current contexts using:

# semanage fcontext -l | grep -i mysql

How to set the data directory context

The default location for the data directory is /var/lib/mysql/, the SELinux context used is mysqld_db_t. If you edit the configuration file to use a different location for the data directory, or any of the files normally in the data directory (e.g. the binary logs) you may need to set the context for the new location using

# semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?"
# restorecon -Rv /path/to/my/custom/datadir
# semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?"
# restorecon -Rv /path/to/my/custom/logdir

How to set the error log file context

The default location for RedHat RPMs is /var/log/mysqld.log, the SELinux context used is mysqld_log_t. If you edit the configuration file to use a different location you may need to set the context for the new location using:

# semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"
# restorecon -Rv /path/to/my/custom/error.log

How to set the PID file context

The default location for the PID file is /var/run/mysqld/mysqld.pid, the SELinux context used is mysqld_var_run_t. If you edit the configuration file to use a different location you may need to set the context for the new location using:

# semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"
# restorecon -Rv /path/to/my/custom/pidfile/directory

How to set the unix-domain socket context

The default location for the unix-domain socket is /var/lib/mysql/mysql.sock, the SELinux context used is mysqld_var_run_t. If you edit the configuration file to use a different location you may need to set the context for the new location using:

# semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql.sock"
# restorecon -Rv /path/to/my/custom/mysql.sock

How to set the TCP port context

The default TCP port is 3306, the SELinux context used is mysqld_port_t. If you edit the configuration file to use a different TCP port, or you enable Group Replication which uses an additional port (typically port 13306) you may need to set the context for the new port using:

# semanage port -a -t mysqld_port_t -p tcp 13306
# restorecon

How to set the secure_file_priv directory context

For MySQL versions since 5.5.53, 5.6.34 and 5.7.16. Installing the server RPM creates a directory /var/lib/mysql-files/, but does not set the SELinux context on this directory. This directory is intended to be used for operations such as ‘SELECT … INTO OUTFILE‘. If you enable using this directory by setting secure_file_priv, you may need to set the context using:

# semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?"
# restorecon -Rv /var/lib/mysql-files

If you set this to a new location, you will need to edit the path. For more information about this variable, please see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv. For security, this directory should never be within the data directory.

Required Tools

The semanage binary is part of the policycoreutils-python package:

# yum install policycoreutils-python

To use semanage with early versions of RHEL 6 with python 2.6, you may need to install a backport of the OrderedDict python collection module using python-pip from the EPEL repository.

Install the EPEL repository:

# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/$(uname -m)/epel-release-6-8.noarch.rpm

Install python-pip:

# yum install python-pip

If installing python-pip returns this error:

Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

you may need to update your SSL CA certificates using:

# yum --disablerepo=epel -y update ca-certificates

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux, mysql

Some more articles you might also be interested in …

  1. setenforce Command Examples in Linux
  2. blastp Command Examples in Linux
  3. CentOS / RHEL : How to restore/recover a deleted volume group in LVM
  4. ioping: command not found
  5. How to configure the logging of failed login attempts for vsftpd
  6. “systemd-udevd: Cannot Allocate Memory” and “A start job is running for dev-mapper-\x2droot.device” – CentOS/RHEL 7 booting issue
  7. archlinux-java: command not found
  8. “not enough to start the array” – error while staring mdadm RAID array
  9. ddcutil Command Examples in Linux
  10. file: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • fprintd-delete Command Examples in Linux
  • fprintd-delete: command not found
  • foreman: command not found
  • foreman Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright