-
Run the
ls -lZ /var/lib/mysql
command to view the SELinux context of the default database location formysql
:~]#
ls -lZ /var/lib/mysql
drwx------. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 mysqlThis showsmysqld_db_t
which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly. -
Enter
mysqlshow -u root -p
and enter themysqld
root password to show the available databases:~]#
mysqlshow -u root -p
Enter password: ******* +--------------------+ | Databases | +--------------------+ | information_schema | | mysql | | test | | wikidb | +--------------------+ -
Shut down the
mysqld
daemon with theservice mysqld stop
command as the root user:~]#
service mysqld stop
Stopping MySQL: [ OK ] -
Create a new directory for the new location of the database(s). In this example,
/mysql/
is used:~]#
mkdir -p /mysql
-
Copy the database files from the old location to the new location:
~]#
cp -R /var/lib/mysql/* /mysql/
-
Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe.
~]#
chown -R mysql:mysql /mysql
-
Run the
ls -lZ /opt
command to see the initial context of the new directory:~]#
ls -lZ /opt
drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0 mysqlThe contextusr_t
of this newly created directory is not currently suitable to SELinux as a location for MySQL database files. Once the context has been changed, MySQL will be able to function properly in this area. -
Open the main MySQL configuration file
/etc/my.cnf
with a text editor and modify thedatadir
option so that it refers to the new location. In this example the value that should be entered is/mysql
.[mysqld] datadir=/mysql
Save this file and exit. -
Run the
service mysqld start
command as the root user to startmysqld
. The service should fail to start, and a denial will be logged to the/var/log/messages
file. However, if theaudit
daemon is running alongside thesetroubleshoot
service, the denial will be logged to the/var/log/audit/audit.log
file instead:SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71
The reason for this denial is that/mysql/
is not labeled correctly for MySQL data files. SELinux is stopping MySQL from having access to the content labeled asusr_t
. Perform the following steps to resolve this problem: -
Run the following
semanage
command to add a context mapping for/mysql
. Note thatsemanage
is not installed by default. If it is missing on your system, install the policycoreutils-python package.~]#
semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
-
This mapping is written to the
/etc/selinux/targeted/contexts/files/file_contexts.local
file:~]#
grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local
/mysql(/.*)? system_u:object_r:mysqld_db_t:s0 -
Now use the
restorecon
command to apply this context mapping to the running system:~]#
restorecon -R -v /mysql
-
Now that the
/mysql/
location has been labeled with the correct context for MySQL, themysqld
daemon starts:~]#
service mysqld start
Starting MySQL: [ OK ] -
Confirm the context has changed for
/mysql/
:~]$
ls -lZ /opt
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql -
The location has been changed and labeled, and the
mysqld
daemon has started successfully. At this point all running services should be tested to confirm normal operation.
Sign in
Welcome! Log into your account
Forgot your password? Get help
Password recovery
Recover your password
A password will be e-mailed to you.