Documentation Home
MySQL 9.0 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 40.0Mb
PDF (A4) - 40.1Mb
Man Pages (TGZ) - 259.0Kb
Man Pages (Zip) - 366.2Kb
Info (Gzip) - 4.0Mb
Info (Zip) - 4.0Mb


MySQL 9.0 Reference Manual  / ...  / Security  / SELinux  /  SELinux File Context

8.7.4 SELinux File Context

The MySQL Server reads from and writes to many files. If the SELinux context is not set correctly for these files, access to the files could be denied.

The instructions that follow use thesemanage binary to manage file context; on RHEL, it's part of thepolicycoreutils-python-utils package:

yum install -y policycoreutils-python-utils

After installing thesemanage binary, you can list MySQL file contexts usingsemanage with thefcontext option.

semanage fcontext -l | grep -i mysql

Setting the MySQL Data Directory Context

The default data directory location is/var/lib/mysql/; and the SELinux context used ismysqld_db_t.

If you edit the configuration file to use a different location for the data directory, or for any of the files normally in the data directory (such as the binary logs), you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_db_t "/path/to/my/custom/datadir(/.*)?"restorecon -Rv /path/to/my/custom/datadirsemanage fcontext -a -t mysqld_db_t "/path/to/my/custom/logdir(/.*)?"restorecon -Rv /path/to/my/custom/logdir

Setting the MySQL Error Log File Context

The default location for RedHat RPMs is/var/log/mysqld.log; and the SELinux context type used ismysqld_log_t.

If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"restorecon -Rv /path/to/my/custom/error.log

Setting the PID File Context

The default location for the PID file is/var/run/mysqld/mysqld.pid; and the SELinux context type used ismysqld_var_run_t.

If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"restorecon -Rv /path/to/my/custom/pidfile/directory

Setting the Unix Domain Socket Context

The default location for the Unix domain socket is/var/lib/mysql/mysql.sock; and the SELinux context type used ismysqld_var_run_t.

If you edit the configuration file to use a different location, you may need to set the context for the new location. For example:

semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/mysql\.sock"restorecon -Rv /path/to/my/custom/mysql.sock

Setting the secure_file_priv Directory Context

For MySQL versions since 5.6.34, 5.7.16, and 8.0.11.

Installing the MySQL Server RPM creates a/var/lib/mysql-files/ directory but does not set the SELinux context for it. The/var/lib/mysql-files/ directory is intended to be used for operations such asSELECT ... INTO OUTFILE.

If you enabled the use of this directory by settingsecure_file_priv, you may need to set the context like so:

semanage fcontext -a -t mysqld_db_t "/var/lib/mysql-files/(/.*)?"restorecon -Rv /var/lib/mysql-files

Edit this path if you used a different location. For security purposes, this directory should never be within the data directory.

For more information about this variable, see thesecure_file_priv documentation.