20.4. Configuration Examples

download PDF

20.4.1. MariaDB Changing Database Location

When using Red Hat Enterprise Linux, the default location for MariaDB to store its database is /var/lib/mysql/. This is where SELinux expects it to be by default, and hence this area is already labeled appropriately for you, using the mysqld_db_t type.
The location where the database is stored can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a MariaDB database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents.
Note that this is an example only and demonstrates how SELinux can affect MariaDB. Comprehensive documentation of MariaDB is beyond the scope of this document. See the official MariaDB documentation for further details. This example assumes that the mariadb-server and setroubleshoot-server packages are installed, that the auditd service is running, and that there is a valid database in the default location of /var/lib/mysql/.
  1. View the SELinux context of the default database location for mysql:
    ~]# ls -lZ /var/lib/mysql
    drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
    This shows mysqld_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
  2. Enter the following command and enter the mysqld root password to show the available databases:
    ~]# mysqlshow -u root -p
    Enter password: *******
    |     Databases      |
    | information_schema |
    | mysql              |
    | test               |
    | wikidb             |
  3. Stop the mariadb.service service:
    ~]# systemctl stop mariadb.service
  4. Create a new directory for the new location of the database(s). In this example, /mysql/ is used:
    ~]# mkdir -p /mysql
  5. Copy the database files from the old location to the new location:
    ~]# cp -R /var/lib/mysql/* /mysql/
  6. Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe:
    ~]# chown -R mysql:mysql /mysql
  7. Enter the following command to see the initial context of the new directory:
    ~]# ls -lZ /mysql
    drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0   mysql
    The context usr_t of this newly created directory is not currently suitable to SELinux as a location for MariaDB database files. Once the context has been changed, MariaDB will be able to function properly in this area.
  8. Open the main MariaDB configuration file /etc/my.cnf with a text editor and modify the datadir option so that it refers to the new location. In this example, the value that should be entered is /mysql:
    Save this file and exit.
  9. Start mariadb.service. The service should fail to start, and a denial message will be logged to the /var/log/messages file:
    ~]# systemctl start mariadb.service
    Job for mariadb.service failed. See 'systemctl status mariadb.service' and 'journalctl -xn' for details.
    However, if the audit daemon is running alongside the setroubleshoot service, the denial will be logged to the /var/log/audit/audit.log file instead:
    SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71
    The reason for this denial is that /mysql/ is not labeled correctly for MariaDB data files. SELinux is stopping MariaDB from having access to the content labeled as usr_t. Perform the following steps to resolve this problem:
  10. Enter the following command to add a context mapping for /mysql/. Note that the semanage utility is not installed by default. If it is missing on your system, install the policycoreutils-python package.
    ~]# semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
  11. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:
    ~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local
    /mysql(/.*)?    system_u:object_r:mysqld_db_t:s0
  12. Now use the restorecon utility to apply this context mapping to the running system:
    ~]# restorecon -R -v /mysql
  13. Now that the /mysql/ location has been labeled with the correct context for MariaDB, mysqld starts:
    ~]# systemctl start mariadb.service
  14. Confirm the context has changed for /mysql/:
    ~]$ ls -lZ /mysql
    drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
  15. The location has been changed and labeled, and mysqld has started successfully. At this point all running services should be tested to confirm normal operation.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.