1mysqld_selinux(8)            SELinux Policy mysqld           mysqld_selinux(8)
2
3
4

NAME

6       mysqld_selinux  -  Security  Enhanced  Linux Policy for the mysqld pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  mysqld  processes  via  flexible
11       mandatory access control.
12
13       The  mysqld  processes  execute with the mysqld_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mysqld_t
20
21
22

ENTRYPOINTS

24       The  mysqld_t  SELinux  type  can be entered via the mysqld_exec_t file
25       type.
26
27       The default entrypoint paths for the mysqld_t domain are the following:
28
29       /usr/sbin/mysqld(-max)?, /usr/libexec/mysqld
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       mysqld policy is very flexible allowing users  to  setup  their  mysqld
39       processes in as secure a method as possible.
40
41       The following process types are defined for mysqld:
42
43       mysqld_safe_t, mysqld_t
44
45       Note:  semanage  permissive -a mysqld_t can be used to make the process
46       type mysqld_t permissive. SELinux does not deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access required.   mysqld
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run mysqld with the tightest access possible.
55
56
57
58       If you want to allow mysqld to connect to all ports, you must  turn  on
59       the mysql_connect_any boolean. Disabled by default.
60
61       setsebool -P mysql_connect_any 1
62
63
64
65       If you want to allow all daemons to write corefiles to /, you must turn
66       on the allow_daemons_dump_core boolean. Disabled by default.
67
68       setsebool -P allow_daemons_dump_core 1
69
70
71
72       If you want to allow all daemons to use tcp wrappers, you must turn  on
73       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
74
75       setsebool -P allow_daemons_use_tcp_wrapper 1
76
77
78
79       If  you  want to allow all daemons the ability to read/write terminals,
80       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
81       default.
82
83       setsebool -P allow_daemons_use_tty 1
84
85
86
87       If you want to allow all domains to use other domains file descriptors,
88       you must turn on the allow_domain_fd_use boolean. Enabled by default.
89
90       setsebool -P allow_domain_fd_use 1
91
92
93
94       If you want to allow confined applications to run  with  kerberos,  you
95       must turn on the allow_kerberos boolean. Enabled by default.
96
97       setsebool -P allow_kerberos 1
98
99
100
101       If  you want to allow sysadm to debug or ptrace all processes, you must
102       turn on the allow_ptrace boolean. Disabled by default.
103
104       setsebool -P allow_ptrace 1
105
106
107
108       If you want to allow system to run with  NIS,  you  must  turn  on  the
109       allow_ypbind boolean. Disabled by default.
110
111       setsebool -P allow_ypbind 1
112
113
114
115       If  you  want  to enable cluster mode for daemons, you must turn on the
116       daemons_enable_cluster_mode boolean. Disabled by default.
117
118       setsebool -P daemons_enable_cluster_mode 1
119
120
121
122       If you want to allow all domains to have the kernel load  modules,  you
123       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
124       default.
125
126       setsebool -P domain_kernel_load_modules 1
127
128
129
130       If you want to allow all domains to execute in fips_mode, you must turn
131       on the fips_mode boolean. Enabled by default.
132
133       setsebool -P fips_mode 1
134
135
136
137       If you want to enable reading of urandom for all domains, you must turn
138       on the global_ssp boolean. Disabled by default.
139
140       setsebool -P global_ssp 1
141
142
143
144       If you want to allow HTTPD scripts and modules to connect to  databases
145       over  the  network,  you  must turn on the httpd_can_network_connect_db
146       boolean. Disabled by default.
147
148       setsebool -P httpd_can_network_connect_db 1
149
150
151
152       If you want to enable support for upstart as the init program, you must
153       turn on the init_upstart boolean. Enabled by default.
154
155       setsebool -P init_upstart 1
156
157
158
159       If  you  want to allow confined applications to use nscd shared memory,
160       you must turn on the nscd_use_shm boolean. Enabled by default.
161
162       setsebool -P nscd_use_shm 1
163
164
165

PORT TYPES

167       SELinux defines port types to represent TCP and UDP ports.
168
169       You can see the types associated with a port  by  using  the  following
170       command:
171
172       semanage port -l
173
174
175       Policy  governs  the  access  confined  processes  have to these ports.
176       SELinux mysqld policy is very flexible allowing users  to  setup  their
177       mysqld processes in as secure a method as possible.
178
179       The following port types are defined for mysqld:
180
181
182       mysqld_port_t
183
184
185
186       Default Defined Ports:
187                 tcp 1186,3306,63132-63164
188

MANAGED FILES

190       The  SELinux  process  type  mysqld_t can manage files labeled with the
191       following file types.  The paths listed are the default paths for these
192       file types.  Note the processes UID still need to have DAC permissions.
193
194       cluster_conf_t
195
196            /etc/cluster(/.*)?
197
198       cluster_var_lib_t
199
200            /var/lib(64)?/openais(/.*)?
201            /var/lib(64)?/pengine(/.*)?
202            /var/lib(64)?/corosync(/.*)?
203            /usr/lib(64)?/heartbeat(/.*)?
204            /var/lib(64)?/heartbeat(/.*)?
205            /var/lib(64)?/pacemaker(/.*)?
206            /var/lib/cluster(/.*)?
207
208       cluster_var_run_t
209
210            /var/run/crm(/.*)?
211            /var/run/cman_.*
212            /var/run/rsctmp(/.*)?
213            /var/run/aisexec.*
214            /var/run/heartbeat(/.*)?
215            /var/run/cpglockd.pid
216            /var/run/corosync.pid
217            /var/run/rgmanager.pid
218            /var/run/cluster/rgmanager.sk
219
220       faillog_t
221
222            /var/log/btmp.*
223            /var/log/faillog.*
224            /var/log/tallylog.*
225            /var/run/faillock(/.*)?
226
227       hugetlbfs_t
228
229
230       initrc_tmp_t
231
232
233       krb5_host_rcache_t
234
235            /var/cache/krb5rcache(/.*)?
236            /var/tmp/host_0
237            /var/tmp/HTTP_23
238
239       lastlog_t
240
241            /var/log/lastlog.*
242
243       mnt_t
244
245            /mnt(/[^/]*)
246            /mnt(/[^/]*)?
247            /rhev(/[^/]*)?
248            /media(/[^/]*)
249            /media(/[^/]*)?
250            /etc/rhgb(/.*)?
251            /media/.hal-.*
252            /net
253            /afs
254            /rhev
255            /misc
256
257       mysqld_db_t
258
259            /var/lib/mysql(/.*)?
260            /var/lib/squeezeboxserver(/.*)?
261
262       mysqld_log_t
263
264            /var/log/mysql.*
265            /var/log/mariadb(/.*)?
266
267       mysqld_tmp_t
268
269
270       mysqld_var_run_t
271
272            /var/run/mysqld(/.*)?
273            /var/run/mariadb(/.*)?
274            /var/lib/mysql/mysql.sock
275
276       pcscd_var_run_t
277
278            /var/run/pcscd.events(/.*)?
279            /var/run/pcscd.pid
280            /var/run/pcscd.pub
281            /var/run/pcscd.comm
282
283       root_t
284
285            /
286            /initrd
287
288       security_t
289
290
291       tmp_t
292
293            /tmp
294            /usr/tmp
295            /var/tmp
296            /tmp-inst
297            /var/tmp-inst
298            /var/tmp/vi.recover
299
300

FILE CONTEXTS

302       SELinux requires files to have an extended attribute to define the file
303       type.
304
305       You can see the context of a file using the -Z option to ls
306
307       Policy governs the access  confined  processes  have  to  these  files.
308       SELinux  mysqld  policy  is very flexible allowing users to setup their
309       mysqld processes in as secure a method as possible.
310
311       EQUIVALENCE DIRECTORIES
312
313
314       mysqld policy stores data with multiple different  file  context  types
315       under  the  /var/lib/mysql  directory.   If you would like to store the
316       data in a different directory you can use the semanage command to  cre‐
317       ate an equivalence mapping.  If you wanted to store this data under the
318       /srv dirctory you would execute the following command:
319
320       semanage fcontext -a -e /var/lib/mysql /srv/mysql
321       restorecon -R -v /srv/mysql
322
323       STANDARD FILE CONTEXT
324
325       SELinux defines the file context types for the mysqld, if you wanted to
326       store  files  with  these types in a diffent paths, you need to execute
327       the semanage command  to  sepecify  alternate  labeling  and  then  use
328       restorecon to put the labels on disk.
329
330       semanage fcontext -a -t mysqld_var_run_t '/srv/mymysqld_content(/.*)?'
331       restorecon -R -v /srv/mymysqld_content
332
333       Note:  SELinux  often  uses  regular expressions to specify labels that
334       match multiple files.
335
336       The following file types are defined for mysqld:
337
338
339
340       mysqld_db_t
341
342       - Set files with the mysqld_db_t type, if you want to treat  the  files
343       as mysqld database content.
344
345
346       Paths:
347            /var/lib/mysql(/.*)?, /var/lib/squeezeboxserver(/.*)?
348
349
350       mysqld_etc_t
351
352       -  Set  files  with  the mysqld_etc_t type, if you want to store mysqld
353       files in the /etc directories.
354
355
356       Paths:
357            /etc/mysql(/.*)?, /etc/my.cnf.d(/.*)?, /etc/my.cnf
358
359
360       mysqld_exec_t
361
362       - Set files with the mysqld_exec_t type, if you want to  transition  an
363       executable to the mysqld_t domain.
364
365
366       Paths:
367            /usr/sbin/mysqld(-max)?, /usr/libexec/mysqld
368
369
370       mysqld_initrc_exec_t
371
372       -  Set files with the mysqld_initrc_exec_t type, if you want to transi‐
373       tion an executable to the mysqld_initrc_t domain.
374
375
376
377       mysqld_log_t
378
379       - Set files with the mysqld_log_t type, if you want to treat  the  data
380       as mysqld log data, usually stored under the /var/log directory.
381
382
383       Paths:
384            /var/log/mysql.*, /var/log/mariadb(/.*)?
385
386
387       mysqld_safe_exec_t
388
389       - Set files with the mysqld_safe_exec_t type, if you want to transition
390       an executable to the mysqld_safe_t domain.
391
392
393
394       mysqld_tmp_t
395
396       - Set files with the mysqld_tmp_t type, if you  want  to  store  mysqld
397       temporary files in the /tmp directories.
398
399
400
401       mysqld_var_run_t
402
403       -  Set  files  with the mysqld_var_run_t type, if you want to store the
404       mysqld files under the /run or /var/run directory.
405
406
407       Paths:
408            /var/run/mysqld(/.*)?,                     /var/run/mariadb(/.*)?,
409            /var/lib/mysql/mysql.sock
410
411
412       Note:  File context can be temporarily modified with the chcon command.
413       If you want to permanently change the file context you need to use  the
414       semanage fcontext command.  This will modify the SELinux labeling data‐
415       base.  You will need to use restorecon to apply the labels.
416
417

COMMANDS

419       semanage fcontext can also be used to manipulate default  file  context
420       mappings.
421
422       semanage  permissive  can  also  be used to manipulate whether or not a
423       process type is permissive.
424
425       semanage module can also be used to enable/disable/install/remove  pol‐
426       icy modules.
427
428       semanage port can also be used to manipulate the port definitions
429
430       semanage boolean can also be used to manipulate the booleans
431
432
433       system-config-selinux is a GUI tool available to customize SELinux pol‐
434       icy settings.
435
436

AUTHOR

438       This manual page was auto-generated using sepolicy manpage .
439
440

SEE ALSO

442       selinux(8), mysqld(8), semanage(8), restorecon(8),  chcon(1)  ,  setse‐
443       bool(8), mysqld_safe_selinux(8)
444
445
446
447mysqld                             15-06-03                  mysqld_selinux(8)
Impressum