8.7.4 SELinux File Context
The MySQL Server reads from and writes to many files. If the SELinux context is not set correctly for these files, access to the files could be denied.
The instructions that follow use the semanage
binary to manage file context; on RHEL, it's part of the policycoreutils-python-utils
package:
yum install -y policycoreutils-python-utils
After installing the semanage
binary, you can list MySQL file contexts using semanage
with the fcontext
option.
semanage fcontext -l | grep -i mysql
The default data directory location is /var/lib/mysql/
; and the SELinux context used is mysqld_db_t
.
If you edit the configuration file to use a different location for the data directory, or for any of the files normally in the data directory (such as the binary logs), you may need to set the context for the new location. For example:
semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?"
restorecon -Rv /path/to/my/custom/datadir
semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?"
restorecon -Rv /path/to/my/custom/logdir
The default location for RedHat RPMs is /var/log/mysqld.log
; and the SELinux context type used is mysqld_log_t
.
If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:
semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"
restorecon -Rv /path/to/my/custom/error.log
The default location for the PID file is /var/run/mysqld/mysqld.pid
; and the SELinux context type used is mysqld_var_run_t
.
If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:
semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"
restorecon -Rv /path/to/my/custom/pidfile/directory
The default location for the Unix domain socket is /var/lib/mysql/mysql.sock
; and the SELinux context type used is mysqld_var_run_t
.
If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:
semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql\.sock"
restorecon -Rv /path/to/my/custom/mysql.sock
For MySQL versions since 5.6.34, 5.7.16, and 8.0.11.
Installing the MySQL Server RPM creates a /var/lib/mysql-files/
directory but does not set the SELinux context for it. The /var/lib/mysql-files/
directory is intended to be used for operations such as SELECT ... INTO OUTFILE
.
If you enabled the use of this directory by setting secure_file_priv
, you may need to set the context like so:
semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?"
restorecon -Rv /var/lib/mysql-files
Edit this path if you used a different location. For security purposes, this directory should never be within the data directory.
For more information about this variable, see the secure_file_priv
documentation.