I have moved my /var/lib/mysql directory to an nfs share, updated all the config files and created symbolic links where appropriate. This works when I have selinux turned off, but mysqld fails to start when selinux is turned on. I have googled for a solution but haven't found any that works. I suspect I am missing something simple.
Here is what I tried:
yum install policycoreutils-python
semanage fcontext -a -t mysqld_db_t "/nfs/data0/mysql(/.*)?"
restorecon -Rv /nfs/data0/mysql
I suspect that I may be using the wrong context here, but not sure what the right one would be. Any suggestions?
UPDATE:
After following looking at the /var/log/audit/audit.log as suggested, I see the following errors:
type=AVC msg=audit(1398346018.436:3455): avc: denied { write } for pid=10980
comm="httpd" name="mysql.sock" dev=0:13 ino=18438
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=sock_file
type=AVC msg=audit(1398346018.439:3456): avc: denied { search } for pid=12395
comm="mysqld" name="mysql" dev=0:13 ino=14805
scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=dir
type=AVC msg=audit(1398346019.657:3457): avc: denied { open } for pid=12395
comm="mysqld" name="cache_admin_menu.frm" dev=0:13 ino=23322
scontext=unconfined_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=file
Not sure what I need to do to address this. I have the following sebools enabled:
mysql_connect_any
httpd_can_network_connect_db
httpd_can_network_connect
httpd_can_network_memcache
httpd_can_sendmail
httpd_use_nfs
httpd_builtin_scripting
Thanks.
Best Answer
This question is a bit old, but don't see one with the correct answer.
So I ran into this problem with AWS and EFS using a centos AMI to run mysql.
There are two problems that occur here. The permissions around the regular mysql files and the permissions around the mysql socket and its lock file.
It appears that the mysql socket is created with a context of mysqld_var_run_t and the lock file with a context of mysqld_db_t as are the regular mysql files.
Now, NFS mounts are usually given a context of nsf_t.
It appears that an nfs mount can only have on se context when being mounted. So what I had to do, when mounting via nfs was the following:
So in fstab mount looks like this:
my.cnf looks like this:
So permissions are correct on all files and mysql now stores data on the EFS NFS share.