You are here
Non-standard database set up with SELinux
What is SELinux?
The Security-Enhanced Linux is an extension to the Linux Kernel, made by the NSA (National Security Agency). It implements Mandatory Access Controls (MAC), which allow an administrator to define, how applications and users can access resources on a system.
There is more detail in the SELinux Wki: https://selinuxproject.org/page/FAQ
... and the CentOS documentation: https://wiki.centos.org/HowTos/SELinux
Some distributions have it installed by default, but not active, some have it installed and active and some don't have it installed.
How do I know if SELinux is active?
SELinux comes with some new commands. To see the current status of SELinux, use "getenforce
" or "sestatus
":
[root@localhost ~]# getenforce Enforcing
- OR -
[root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
There are three modes available:
- Enforcing: SELinux is active and enforcing restrictions.
- Permissive: Restrictions are not enforced, but policy violations are reported.
- Disabled: SELinux is turned off.
Changing modes
If you want to change the mode of SELinux, use "setenforce
":
setenforce [ Enforcing | Permissive | 1 | 0 ]
Or edit the configuration file under "/etc/selinux/config
".
Install semanage
If you want to change SELinux policies in an easy way, you will need the tool "semanage
" it can be installed with the following command:
yum install policycoreutils-python
Create a directory MySQL/MariaDB can access
NOTE: I am going to work with MariaDB for this blog, as it can be installed from repository in CentOS.
The easy way to create a new policy, which allows to MySQL or MariaDB to use a directory, is to install "semanage
". It is provided with the following package:
yum install policycoreutils-python
Then proceed to create the new directory, where MySQL/MariaDB could store the binary logs, if they should not be in the datadir.
mkdir /var/lib/mysql_binlog/ chown -R mysql:mysql mysql* semanage fcontext -a -t mysqld_db_t "/var/lib/mysql_binlog(/.*)?" restorecon -Rv /var/lib/mysql_binlog
NOTE: You have to give the absolute path to the file or the directory!
If you want to use MySQL/MariaDB on a non-standard port, you also have to allow usage of that port:
semanage port -a -t mysqld_port_t -p tcp 3307
Once you have created the new directory for the binary logs and made sure it is owned by mysql, you need to change the type of the directory you created to the one that allows MySQL/MariDB to use this directory. If you do not do this, you will get a "Permission denied (13)" error.
"semanage
" is used to make this change persistent, even when the entire file system relabelled.
I was although unable to change the socket. I am yet unsure what the problem was, as MariaDB did not start or return any error.
Enable MySQL to write to this directory
vi /etc/my.cnf ... [mysqld] log-bin=/var/lib/mysql_binlog/binlog ... systemctl restart mariadb
- cedric's blog
- Log in or register to post comments