Home
Products
Red Hat Enterprise Linux
7
SELinux User's and Administrator's Guide
20.4. Configuration Examples

20.4. Configuration Examples

20.4.1. MariaDB Changing Database Location

When using Red Hat Enterprise Linux, the default location for MariaDB to store its database is /var/lib/mysql/. This is where SELinux expects it to be by default, and hence this area is already labeled appropriately for you, using the mysqld_db_t type.

The location where the database is stored can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a MariaDB database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents.

Note that this is an example only and demonstrates how SELinux can affect MariaDB. Comprehensive documentation of MariaDB is beyond the scope of this document. See the official MariaDB documentation for further details. This example assumes that the mariadb-server and setroubleshoot-server packages are installed, that the auditd service is running, and that there is a valid database in the default location of /var/lib/mysql/.

View the SELinux context of the default database location for mysql:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# ls -lZ /var/lib/mysql
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
```
```
~]# ls -lZ /var/lib/mysql
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
```
This shows mysqld_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.

Enter the following command and enter the mysqld root password to show the available databases:

Copy to Clipboard Toggle word wrap

~]# mysqlshow -u root -p
Enter password: *******
+--------------------+
|     Databases      |
+--------------------+
| information_schema |
| mysql              |
| test               |
| wikidb             |
+--------------------+

~]# mysqlshow -u root -p
Enter password: *******
+--------------------+
|     Databases      |
+--------------------+
| information_schema |
| mysql              |
| test               |
| wikidb             |
+--------------------+

Stop the mariadb.service service:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# systemctl stop mariadb.service
```
```
~]# systemctl stop mariadb.service
```
Create a new directory for the new location of the database(s). In this example, /mysql/ is used:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# mkdir -p /mysql
```
```
~]# mkdir -p /mysql
```
Copy the database files from the old location to the new location:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# cp -R /var/lib/mysql/* /mysql/
```
```
~]# cp -R /var/lib/mysql/* /mysql/
```
Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# chown -R mysql:mysql /mysql
```
```
~]# chown -R mysql:mysql /mysql
```
Enter the following command to see the initial context of the new directory:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# ls -lZ /mysql
drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0   mysql
```
```
~]# ls -lZ /mysql
drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0   mysql
```
The context usr_t of this newly created directory is not currently suitable to SELinux as a location for MariaDB database files. Once the context has been changed, MariaDB will be able to function properly in this area.
Open the main MariaDB configuration file /etc/my.cnf with a text editor and modify the datadir option so that it refers to the new location. In this example, the value that should be entered is /mysql:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
[mysqld]
datadir=/mysql
```
```
[mysqld]
datadir=/mysql
```
Save this file and exit.
Start mariadb.service. The service should fail to start, and a denial message will be logged to the /var/log/messages file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# systemctl start mariadb.service
Job for mariadb.service failed. See 'systemctl status mariadb.service' and 'journalctl -xn' for details.
```
```
~]# systemctl start mariadb.service
Job for mariadb.service failed. See 'systemctl status mariadb.service' and 'journalctl -xn' for details.
```
However, if the audit daemon is running alongside the setroubleshoot service, the denial will be logged to the /var/log/audit/audit.log file instead:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71
```
```
SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71
```
The reason for this denial is that /mysql/ is not labeled correctly for MariaDB data files. SELinux is stopping MariaDB from having access to the content labeled as usr_t. Perform the following steps to resolve this problem:
Enter the following command to add a context mapping for /mysql/. Note that the semanage utility is not installed by default. If it is missing on your system, install the policycoreutils-python package.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
```
```
~]# semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"
```

This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

Copy to Clipboard Toggle word wrap

~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local

/mysql(/.*)?    system_u:object_r:mysqld_db_t:s0

~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local

/mysql(/.*)?    system_u:object_r:mysqld_db_t:s0

Now use the restorecon utility to apply this context mapping to the running system:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# restorecon -R -v /mysql
```
```
~]# restorecon -R -v /mysql
```
Now that the /mysql/ location has been labeled with the correct context for MariaDB, mysqld starts:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
~]# systemctl start mariadb.service
```
```
~]# systemctl start mariadb.service
```

Confirm the context has changed for /mysql/:

Copy to Clipboard Toggle word wrap

~]$ ls -lZ /mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql

~]$ ls -lZ /mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql

The location has been changed and labeled, and mysqld has started successfully. At this point all running services should be tested to confirm normal operation.

20.4. Configuration Examples

20.4.1. MariaDB Changing Database Location

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links