Documentation Home
MySQL 8.4 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 39.8Mb
PDF (A4) - 39.9Mb
Man Pages (TGZ) - 257.9Kb
Man Pages (Zip) - 364.9Kb
Info (Gzip) - 4.0Mb
Info (Zip) - 4.0Mb


MySQL 8.4 Reference Manual  /  ...  /  SELinux File Context

8.7.4 SELinux File Context

The MySQL Server reads from and writes to many files. If the SELinux context is not set correctly for these files, access to the files could be denied.

The instructions that follow use the semanage binary to manage file context; on RHEL, it's part of the policycoreutils-python-utils package:

yum install -y policycoreutils-python-utils

After installing the semanage binary, you can list MySQL file contexts using semanage with the fcontext option.

semanage fcontext -l | grep -i mysql

The default data directory location is /var/lib/mysql/; and the SELinux context used is mysqld_db_t.

If you edit the configuration file to use a different location for the data directory, or for any of the files normally in the data directory (such as the binary logs), you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?"
restorecon -Rv /path/to/my/custom/datadir

semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?"
restorecon -Rv /path/to/my/custom/logdir

The default location for RedHat RPMs is /var/log/mysqld.log; and the SELinux context type used is mysqld_log_t.

If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"
restorecon -Rv /path/to/my/custom/error.log

The default location for the PID file is /var/run/mysqld/mysqld.pid; and the SELinux context type used is mysqld_var_run_t.

If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"
restorecon -Rv /path/to/my/custom/pidfile/directory

The default location for the Unix domain socket is /var/lib/mysql/mysql.sock; and the SELinux context type used is mysqld_var_run_t.

If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql\.sock"
restorecon -Rv /path/to/my/custom/mysql.sock

For MySQL versions since 5.6.34, 5.7.16, and 8.0.11.

Installing the MySQL Server RPM creates a /var/lib/mysql-files/ directory but does not set the SELinux context for it. The /var/lib/mysql-files/ directory is intended to be used for operations such as SELECT ... INTO OUTFILE.

If you enabled the use of this directory by setting secure_file_priv, you may need to set the context like so:

semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?"
restorecon -Rv /var/lib/mysql-files

Edit this path if you used a different location. For security purposes, this directory should never be within the data directory.

For more information about this variable, see the secure_file_priv documentation.