SELinux for MySQL Directory

When SELinux is enabled, SELinux doesn’t allow MySQL to use another directory other than the default (/var/lib/mysql). To move a MySQL database to another directory, the SELinux configuration should be changed to allow the new directory for MySQL.

  • To check if SELinux is enabled:
   # getenforce

If the output is “Permissive” or “Disabled”, next steps can be skipped because the SELinux is not enforcing the security policies.

  • To change the configuration of SELinux, the semanage package is required.
   [root@labrat8-c62-64 ~]# yum -y install policycoreutils-python

In this example, the target_dir_path is the name for the new directory. To configure SELinux setting:

   [root@labrat8-c62-64 ~]# semanage fcontext -a -t mysqld_db_t "target_dir_path(/.*)?"
  • To check the change:
   [root@labrat8-c62-64 ~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local

It will show:

   target_dir_path(/.*)? system_u:object_r:mysqld_db_t:s0
  • To apply this change to the current running system:
   [root@labrat8-c62-64 ~]# restorecon -R -v target_dir_path
   restorecon reset target_dir_path context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:mysqld_db_t:s0
   restorecon reset target_dir_path /dump_oss_test_table_only.sql context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:mysqld_db_t:s0
   restorecon reset target_dir_path
   /nexoss_test_backup.sql context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:mysqld_db_t:s0
  • To see the SELinux label, use ls -lZ:
   [root@labrat8-c62-64 /]# ls -lZ
   drwxr-xr-x. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 target_dir_path
   [root@labrat8-c62-64 target_dir_path]# ls -lZ
   -rw-r--r--. ossadmin oss unconfined_u:object_r:mysqld_db_t:s0 dump_oss_test_table_only.sql
   -rw-rw+++-. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 ibdata1
   -rw-r--r--. ossadmin oss unconfined_u:object_r:mysqld_db_t:s0 nexos s_test_backup.sql