2016/02/16

SELinux vs mysql

I'm a strange kind of fool. I maintain my own mysql packages, which makes installing them annoying because everything wants to pull in mysql-libs from the mainline.

I also sometimes want to install mysql in /home/mysql, not /var/lib/mysql as in standard on CentOS. SElinux is set up to prevent just this sort of thing. The short version is that everyhing in /home is has the home_root_t security context, which mysqld and mysqld_safe aren't allowed to interact with.

The solution is the following:

# first we are setting up the directory
mkdir -p /home/mysql/{InnoDB,etc,log,data,tmp,bin,sbin}
mv /etc/my.cnf /home/mysql/etc
ln -s /home/mysql/etc/my.cnf /etc
for n in /usr/bin/my* ; do ln -s $n /home/mysql/bin ; done
for n in /usr/sbin/my* ; do ln -s $n /home/mysql/sbin ; done
chmod 1777 /home/mysql/tmp
chown mysql:mysql -R /home/mysql
joe /home/mysql/etc/my.cnf  # change datadir
joe /etc/init.d/mysql       # change datadir and basedir

# now comes the part where we fight with selinux
semanage fcontext -a -t mysqld_db_t "/home/mysql(/.*)?"
semanage fcontext -a -t etc_t "/home/mysql/etc(/.*)?"
semanage fcontext -a -t bin_t "/home/mysql/bin(/.*)?"
semanage fcontext -a -t bin_t "/home/mysql/sbin(/.*)?"
semanage fcontext -a -t mysqld_tmp_t "/home/mysql/tmp(/.*)?"
semanage fcontext -a -t mysqld_safe_exec_t "/home/mysql/bin/mysqld_safe" 
restorecon -R -v /home/mysql
service mysql start

But it's still failing, because /home/mysql/bin/mysqld_safe is a symlink. To fix this, I did

grep mysqld /var/log/audit/audit.log | audit2allow -M "mysqlhome"
semodule -i mysqlhome.pp 
service mysql start

Yay! Now it works

No comments: