I'm a strange kind of fool. I maintain my own mysql packages, which makes installing them annoying because everything wants to pull in mysql-libs from the mainline.
I also sometimes want to install mysql in /home/mysql, not /var/lib/mysql as in standard on CentOS. SElinux is set up to prevent just this sort of thing. The short version is that everyhing in /home is has the home_root_t security context, which mysqld and mysqld_safe aren't allowed to interact with.
The solution is the following:
# first we are setting up the directory mkdir -p /home/mysql/{InnoDB,etc,log,data,tmp,bin,sbin} mv /etc/my.cnf /home/mysql/etc ln -s /home/mysql/etc/my.cnf /etc for n in /usr/bin/my* ; do ln -s $n /home/mysql/bin ; done for n in /usr/sbin/my* ; do ln -s $n /home/mysql/sbin ; done chmod 1777 /home/mysql/tmp chown mysql:mysql -R /home/mysql joe /home/mysql/etc/my.cnf # change datadir joe /etc/init.d/mysql # change datadir and basedir # now comes the part where we fight with selinux semanage fcontext -a -t mysqld_db_t "/home/mysql(/.*)?" semanage fcontext -a -t etc_t "/home/mysql/etc(/.*)?" semanage fcontext -a -t bin_t "/home/mysql/bin(/.*)?" semanage fcontext -a -t bin_t "/home/mysql/sbin(/.*)?" semanage fcontext -a -t mysqld_tmp_t "/home/mysql/tmp(/.*)?" semanage fcontext -a -t mysqld_safe_exec_t "/home/mysql/bin/mysqld_safe" restorecon -R -v /home/mysql service mysql start
But it's still failing, because /home/mysql/bin/mysqld_safe is a symlink. To fix this, I did
grep mysqld /var/log/audit/audit.log | audit2allow -M "mysqlhome"
semodule -i mysqlhome.pp
service mysql start
Yay! Now it works
No comments:
Post a Comment