Mysql – Enable selinux to allow thesql files to be read and written on a nfs share

MySQLselinux

I have moved my /var/lib/mysql directory to an nfs share, updated all the config files and created symbolic links where appropriate. This works when I have selinux turned off, but mysqld fails to start when selinux is turned on. I have googled for a solution but haven't found any that works. I suspect I am missing something simple.

Here is what I tried:

yum install policycoreutils-python
semanage fcontext -a -t mysqld_db_t "/nfs/data0/mysql(/.*)?"
restorecon -Rv /nfs/data0/mysql

I suspect that I may be using the wrong context here, but not sure what the right one would be. Any suggestions?

UPDATE:

After following looking at the /var/log/audit/audit.log as suggested, I see the following errors:

type=AVC msg=audit(1398346018.436:3455): avc:  denied  { write } for  pid=10980 
   comm="httpd" name="mysql.sock" dev=0:13 ino=18438 
   scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 
   tclass=sock_file
type=AVC msg=audit(1398346018.439:3456): avc:  denied  { search } for  pid=12395 
   comm="mysqld" name="mysql" dev=0:13 ino=14805 
   scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:nfs_t:s0 
   tclass=dir
type=AVC msg=audit(1398346019.657:3457): avc:  denied  { open } for  pid=12395 
   comm="mysqld" name="cache_admin_menu.frm" dev=0:13 ino=23322 
   scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:nfs_t:s0 
   tclass=file

Not sure what I need to do to address this. I have the following sebools enabled:

mysql_connect_any
httpd_can_network_connect_db
httpd_can_network_connect
httpd_can_network_memcache
httpd_can_sendmail
httpd_use_nfs
httpd_builtin_scripting

Thanks.

Best Answer

This question is a bit old, but don't see one with the correct answer.

So I ran into this problem with AWS and EFS using a centos AMI to run mysql.

There are two problems that occur here. The permissions around the regular mysql files and the permissions around the mysql socket and its lock file.

It appears that the mysql socket is created with a context of mysqld_var_run_t and the lock file with a context of mysqld_db_t as are the regular mysql files.

Now, NFS mounts are usually given a context of nsf_t.

It appears that an nfs mount can only have on se context when being mounted. So what I had to do, when mounting via nfs was the following:

  1. mount the NFS share with the mysqld_db_t context.
  2. move the mysql socket to a different directory with the mysqld_db_t context.

So in fstab mount looks like this:

nfs-share-url:/ /data nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noatime,context="system_u:object_r:mysqld_db_t:s0"  0 0

my.cnf looks like this:

datadir=/data
socket=/var/lib/mysql-files/mysql.sock

So permissions are correct on all files and mysql now stores data on the EFS NFS share.

Related Topic