mysqld_selinux(8)

1mysqld_selinux(8)            SELinux Policy mysqld           mysqld_selinux(8)
2
3
4

NAME

6       mysqld_selinux  -  Security  Enhanced  Linux Policy for the mysqld pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  mysqld  processes  via  flexible
11       mandatory access control.
12
13       The  mysqld  processes  execute with the mysqld_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mysqld_t
20
21
22

ENTRYPOINTS

24       The  mysqld_t  SELinux  type  can be entered via the mysqld_exec_t file
25       type.
26
27       The default entrypoint paths for the mysqld_t domain are the following:
28
29       /usr/sbin/mysqld(-max)?,      /usr/sbin/ndbd,      /usr/libexec/mysqld,
30       /usr/bin/mysql_upgrade
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       mysqld  policy  is  very  flexible allowing users to setup their mysqld
40       processes in as secure a method as possible.
41
42       The following process types are defined for mysqld:
43
44       mysqld_t, mysqld_safe_t
45
46       Note: semanage permissive -a mysqld_t can be used to make  the  process
47       type  mysqld_t  permissive.  SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy is customizable based on least access required.  mysqld
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run mysqld with the tightest access possible.
56
57
58
59       If  you  want to allow mysqld to connect to all ports, you must turn on
60       the mysql_connect_any boolean. Disabled by default.
61
62       setsebool -P mysql_connect_any 1
63
64
65
66       If you want to allow users to resolve user passwd entries directly from
67       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
68       gin_nsswitch_use_ldap boolean. Disabled by default.
69
70       setsebool -P authlogin_nsswitch_use_ldap 1
71
72
73
74       If you want to allow all daemons to write corefiles to /, you must turn
75       on the daemons_dump_core boolean. Disabled by default.
76
77       setsebool -P daemons_dump_core 1
78
79
80
81       If  you  want  to enable cluster mode for daemons, you must turn on the
82       daemons_enable_cluster_mode boolean. Enabled by default.
83
84       setsebool -P daemons_enable_cluster_mode 1
85
86
87
88       If you want to allow all daemons to use tcp wrappers, you must turn  on
89       the daemons_use_tcp_wrapper boolean. Disabled by default.
90
91       setsebool -P daemons_use_tcp_wrapper 1
92
93
94
95       If  you  want to allow all daemons the ability to read/write terminals,
96       you must turn on the daemons_use_tty boolean. Disabled by default.
97
98       setsebool -P daemons_use_tty 1
99
100
101
102       If you want to deny any process from ptracing or  debugging  any  other
103       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
104       default.
105
106       setsebool -P deny_ptrace 1
107
108
109
110       If you want to allow any process  to  mmap  any  file  on  system  with
111       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
112       ean. Enabled by default.
113
114       setsebool -P domain_can_mmap_files 1
115
116
117
118       If you want to allow all domains write to kmsg_device, while kernel  is
119       executed  with  systemd.log_target=kmsg parameter, you must turn on the
120       domain_can_write_kmsg boolean. Disabled by default.
121
122       setsebool -P domain_can_write_kmsg 1
123
124
125
126       If you want to allow all domains to use other domains file descriptors,
127       you must turn on the domain_fd_use boolean. Enabled by default.
128
129       setsebool -P domain_fd_use 1
130
131
132
133       If  you  want to allow all domains to have the kernel load modules, you
134       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
135       default.
136
137       setsebool -P domain_kernel_load_modules 1
138
139
140
141       If  you  want  to  determine whether exim can connect to databases, you
142       must turn on the exim_can_connect_db boolean. Disabled by default.
143
144       setsebool -P exim_can_connect_db 1
145
146
147
148       If you want to allow all domains to execute in fips_mode, you must turn
149       on the fips_mode boolean. Enabled by default.
150
151       setsebool -P fips_mode 1
152
153
154
155       If you want to determine whether ftpd can connect to databases over the
156       TCP network, you must turn on the ftpd_connect_db boolean. Disabled  by
157       default.
158
159       setsebool -P ftpd_connect_db 1
160
161
162
163       If you want to enable reading of urandom for all domains, you must turn
164       on the global_ssp boolean. Disabled by default.
165
166       setsebool -P global_ssp 1
167
168
169
170       If you want to allow HTTPD scripts and modules to connect to  databases
171       over  the  network,  you  must turn on the httpd_can_network_connect_db
172       boolean. Disabled by default.
173
174       setsebool -P httpd_can_network_connect_db 1
175
176
177
178       If you want to allow confined applications to run  with  kerberos,  you
179       must turn on the kerberos_enabled boolean. Enabled by default.
180
181       setsebool -P kerberos_enabled 1
182
183
184
185       If  you  want  to  allow  system  to run with NIS, you must turn on the
186       nis_enabled boolean. Disabled by default.
187
188       setsebool -P nis_enabled 1
189
190
191
192       If you want to allow confined applications to use nscd  shared  memory,
193       you must turn on the nscd_use_shm boolean. Disabled by default.
194
195       setsebool -P nscd_use_shm 1
196
197
198

PORT TYPES

200       SELinux defines port types to represent TCP and UDP ports.
201
202       You  can  see  the  types associated with a port by using the following
203       command:
204
205       semanage port -l
206
207
208       Policy governs the access  confined  processes  have  to  these  ports.
209       SELinux  mysqld  policy  is very flexible allowing users to setup their
210       mysqld processes in as secure a method as possible.
211
212       The following port types are defined for mysqld:
213
214
215       mysqld_port_t
216
217
218
219       Default Defined Ports:
220                 tcp 1186,3306,63132-63164
221

MANAGED FILES

223       The SELinux process type mysqld_t can manage  files  labeled  with  the
224       following file types.  The paths listed are the default paths for these
225       file types.  Note the processes UID still need to have DAC permissions.
226
227       cluster_conf_t
228
229            /etc/cluster(/.*)?
230
231       cluster_var_lib_t
232
233            /var/lib/pcsd(/.*)?
234            /var/lib/cluster(/.*)?
235            /var/lib/openais(/.*)?
236            /var/lib/pengine(/.*)?
237            /var/lib/corosync(/.*)?
238            /usr/lib/heartbeat(/.*)?
239            /var/lib/heartbeat(/.*)?
240            /var/lib/pacemaker(/.*)?
241
242       cluster_var_run_t
243
244            /var/run/crm(/.*)?
245            /var/run/cman_.*
246            /var/run/rsctmp(/.*)?
247            /var/run/aisexec.*
248            /var/run/heartbeat(/.*)?
249            /var/run/corosync-qnetd(/.*)?
250            /var/run/corosync-qdevice(/.*)?
251            /var/run/cpglockd.pid
252            /var/run/corosync.pid
253            /var/run/rgmanager.pid
254            /var/run/cluster/rgmanager.sk
255
256       faillog_t
257
258            /var/log/btmp.*
259            /var/log/faillog.*
260            /var/log/tallylog.*
261            /var/run/faillock(/.*)?
262
263       hugetlbfs_t
264
265            /dev/hugepages
266            /usr/lib/udev/devices/hugepages
267
268       krb5_host_rcache_t
269
270            /var/cache/krb5rcache(/.*)?
271            /var/tmp/nfs_0
272            /var/tmp/DNS_25
273            /var/tmp/host_0
274            /var/tmp/imap_0
275            /var/tmp/HTTP_23
276            /var/tmp/HTTP_48
277            /var/tmp/ldap_55
278            /var/tmp/ldap_487
279            /var/tmp/ldapmap1_0
280
281       lastlog_t
282
283            /var/log/lastlog.*
284
285       mysqld_db_t
286
287            /var/lib/mysql(-files|-keyring)?(/.*)?
288
289       mysqld_log_t
290
291            /var/log/mysql.*
292            /var/log/mariadb(/.*)?
293
294       mysqld_tmp_t
295
296
297       mysqld_var_run_t
298
299            /var/run/mysqld(/.*)?
300            /var/run/mariadb(/.*)?
301            /var/lib/mysql/mysql.sock
302
303       root_t
304
305            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
306            /
307            /initrd
308
309       security_t
310
311            /selinux
312
313

FILE CONTEXTS

315       SELinux requires files to have an extended attribute to define the file
316       type.
317
318       You can see the context of a file using the -Z option to ls
319
320       Policy  governs  the  access  confined  processes  have to these files.
321       SELinux mysqld policy is very flexible allowing users  to  setup  their
322       mysqld processes in as secure a method as possible.
323
324       STANDARD FILE CONTEXT
325
326       SELinux defines the file context types for the mysqld, if you wanted to
327       store files with these types in a diffent paths, you  need  to  execute
328       the  semanage  command  to  sepecify  alternate  labeling  and then use
329       restorecon to put the labels on disk.
330
331       semanage fcontext -a -t mysqld_var_run_t '/srv/mymysqld_content(/.*)?'
332       restorecon -R -v /srv/mymysqld_content
333
334       Note: SELinux often uses regular expressions  to  specify  labels  that
335       match multiple files.
336
337       The following file types are defined for mysqld:
338
339
340
341       mysqld_db_t
342
343       -  Set  files with the mysqld_db_t type, if you want to treat the files
344       as mysqld database content.
345
346
347
348       mysqld_etc_t
349
350       - Set files with the mysqld_etc_t type, if you  want  to  store  mysqld
351       files in the /etc directories.
352
353
354       Paths:
355            /etc/mysql(/.*)?, /etc/my.cnf.d(/.*)?, /etc/my.cnf
356
357
358       mysqld_exec_t
359
360       -  Set  files with the mysqld_exec_t type, if you want to transition an
361       executable to the mysqld_t domain.
362
363
364       Paths:
365            /usr/sbin/mysqld(-max)?,   /usr/sbin/ndbd,    /usr/libexec/mysqld,
366            /usr/bin/mysql_upgrade
367
368
369       mysqld_home_t
370
371       -  Set  files  with the mysqld_home_t type, if you want to store mysqld
372       files in the users home directory.
373
374
375       Paths:
376            /root/.my.cnf, /home/[^/]+/.my.cnf
377
378
379       mysqld_initrc_exec_t
380
381       - Set files with the mysqld_initrc_exec_t type, if you want to  transi‐
382       tion an executable to the mysqld_initrc_t domain.
383
384
385
386       mysqld_log_t
387
388       -  Set  files with the mysqld_log_t type, if you want to treat the data
389       as mysqld log data, usually stored under the /var/log directory.
390
391
392       Paths:
393            /var/log/mysql.*, /var/log/mariadb(/.*)?
394
395
396       mysqld_safe_exec_t
397
398       - Set files with the mysqld_safe_exec_t type, if you want to transition
399       an executable to the mysqld_safe_t domain.
400
401
402       Paths:
403            /usr/bin/mysqld_safe, /usr/libexec/mysqld_safe-scl-helper
404
405
406       mysqld_tmp_t
407
408       -  Set  files  with  the mysqld_tmp_t type, if you want to store mysqld
409       temporary files in the /tmp directories.
410
411
412
413       mysqld_unit_file_t
414
415       - Set files with the mysqld_unit_file_t type, if you want to treat  the
416       files as mysqld unit content.
417
418
419       Paths:
420            /usr/lib/systemd/system/mysqld.*,    /usr/lib/systemd/system/mari‐
421            adb.*
422
423
424       mysqld_var_run_t
425
426       - Set files with the mysqld_var_run_t type, if you want  to  store  the
427       mysqld files under the /run or /var/run directory.
428
429
430       Paths:
431            /var/run/mysqld(/.*)?,                     /var/run/mariadb(/.*)?,
432            /var/lib/mysql/mysql.sock
433
434
435       Note: File context can be temporarily modified with the chcon  command.
436       If  you want to permanently change the file context you need to use the
437       semanage fcontext command.  This will modify the SELinux labeling data‐
438       base.  You will need to use restorecon to apply the labels.
439
440

COMMANDS

442       semanage  fcontext  can also be used to manipulate default file context
443       mappings.
444
445       semanage permissive can also be used to manipulate  whether  or  not  a
446       process type is permissive.
447
448       semanage  module can also be used to enable/disable/install/remove pol‐
449       icy modules.
450
451       semanage port can also be used to manipulate the port definitions
452
453       semanage boolean can also be used to manipulate the booleans
454
455
456       system-config-selinux is a GUI tool available to customize SELinux pol‐
457       icy settings.
458
459

AUTHOR

461       This manual page was auto-generated using sepolicy manpage .
462
463