1mysqld_selinux(8)            SELinux Policy mysqld           mysqld_selinux(8)
2
3
4

NAME

6       mysqld_selinux  -  Security  Enhanced  Linux Policy for the mysqld pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  mysqld  processes  via  flexible
11       mandatory access control.
12
13       The  mysqld  processes  execute with the mysqld_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mysqld_t
20
21
22

ENTRYPOINTS

24       The  mysqld_t  SELinux  type  can be entered via the mysqld_exec_t file
25       type.
26
27       The default entrypoint paths for the mysqld_t domain are the following:
28
29       /usr/sbin/mysqld(-max|-debug)?,  /usr/sbin/ndbd,   /usr/libexec/mysqld,
30       /usr/bin/mysql_upgrade, /usr/bin/mysqld_safe_helper
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       mysqld  policy  is  very  flexible allowing users to setup their mysqld
40       processes in as secure a method as possible.
41
42       The following process types are defined for mysqld:
43
44       mysqld_t, mysqld_safe_t
45
46       Note: semanage permissive -a mysqld_t can be used to make  the  process
47       type  mysqld_t  permissive.  SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy is customizable based on least access required.  mysqld
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run mysqld with the tightest access possible.
56
57
58
59       If  you  want to allow mysqld to connect to all ports, you must turn on
60       the mysql_connect_any boolean. Disabled by default.
61
62       setsebool -P mysql_connect_any 1
63
64
65
66       If you want to allow mysqld to connect to http port, you must  turn  on
67       the mysql_connect_http boolean. Disabled by default.
68
69       setsebool -P mysql_connect_http 1
70
71
72
73       If  you  want  to  determine whether exim can connect to databases, you
74       must turn on the exim_can_connect_db boolean. Disabled by default.
75
76       setsebool -P exim_can_connect_db 1
77
78
79
80       If you want to allow all domains to execute in fips_mode, you must turn
81       on the fips_mode boolean. Enabled by default.
82
83       setsebool -P fips_mode 1
84
85
86
87       If you want to determine whether ftpd can connect to databases over the
88       TCP network, you must turn on the ftpd_connect_db boolean. Disabled  by
89       default.
90
91       setsebool -P ftpd_connect_db 1
92
93
94
95       If  you want to allow HTTPD scripts and modules to connect to databases
96       over the network, you must  turn  on  the  httpd_can_network_connect_db
97       boolean. Disabled by default.
98
99       setsebool -P httpd_can_network_connect_db 1
100
101
102
103       If  you  want  to allow confined applications to run with kerberos, you
104       must turn on the kerberos_enabled boolean. Disabled by default.
105
106       setsebool -P kerberos_enabled 1
107
108
109
110       If you want to allow system to run with  NIS,  you  must  turn  on  the
111       nis_enabled boolean. Disabled by default.
112
113       setsebool -P nis_enabled 1
114
115
116
117       If you want to allow PowerDNS to connect to databases over the network,
118       you must turn on the pdns_can_network_connect_db boolean.  Disabled  by
119       default.
120
121       setsebool -P pdns_can_network_connect_db 1
122
123
124

PORT TYPES

126       SELinux defines port types to represent TCP and UDP ports.
127
128       You  can  see  the  types associated with a port by using the following
129       command:
130
131       semanage port -l
132
133
134       Policy governs the access  confined  processes  have  to  these  ports.
135       SELinux  mysqld  policy  is very flexible allowing users to setup their
136       mysqld processes in as secure a method as possible.
137
138       The following port types are defined for mysqld:
139
140
141       mysqld_port_t
142
143
144
145       Default Defined Ports:
146                 tcp 1186,3306,63132-63164
147

MANAGED FILES

149       The SELinux process type mysqld_t can manage  files  labeled  with  the
150       following file types.  The paths listed are the default paths for these
151       file types.  Note the processes UID still need to have DAC permissions.
152
153       cluster_conf_t
154
155            /etc/cluster(/.*)?
156
157       cluster_var_lib_t
158
159            /var/lib/pcsd(/.*)?
160            /var/lib/cluster(/.*)?
161            /var/lib/openais(/.*)?
162            /var/lib/pengine(/.*)?
163            /var/lib/corosync(/.*)?
164            /usr/lib/heartbeat(/.*)?
165            /var/lib/heartbeat(/.*)?
166            /var/lib/pacemaker(/.*)?
167
168       cluster_var_run_t
169
170            /var/run/crm(/.*)?
171            /var/run/cman_.*
172            /var/run/rsctmp(/.*)?
173            /var/run/aisexec.*
174            /var/run/heartbeat(/.*)?
175            /var/run/corosync-qnetd(/.*)?
176            /var/run/corosync-qdevice(/.*)?
177            /var/run/corosync.pid
178            /var/run/cpglockd.pid
179            /var/run/rgmanager.pid
180            /var/run/cluster/rgmanager.sk
181
182       faillog_t
183
184            /var/log/btmp.*
185            /var/log/faillog.*
186            /var/log/tallylog.*
187            /var/run/faillock(/.*)?
188
189       hugetlbfs_t
190
191            /dev/hugepages
192            /usr/lib/udev/devices/hugepages
193
194       lastlog_t
195
196            /var/log/lastlog.*
197
198       mysqld_db_t
199
200            /var/lib/mysql(-files|-keyring)?(/.*)?
201
202       mysqld_log_t
203
204            /var/log/mysql.*
205            /var/log/mysql(/.*)?
206            /var/log/mariadb(/.*)?
207
208       mysqld_var_run_t
209
210            /var/run/mysql(/.*)?
211            /var/run/mysqld(/.*)?
212            /var/run/mariadb(/.*)?
213            /var/lib/mysql/mysql.sock
214
215       root_t
216
217            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
218            /
219            /initrd
220
221       security_t
222
223            /selinux
224
225

FILE CONTEXTS

227       SELinux requires files to have an extended attribute to define the file
228       type.
229
230       You can see the context of a file using the -Z option to ls
231
232       Policy  governs  the  access  confined  processes  have to these files.
233       SELinux mysqld policy is very flexible allowing users  to  setup  their
234       mysqld processes in as secure a method as possible.
235
236       EQUIVALENCE DIRECTORIES
237
238
239       mysqld  policy  stores  data with multiple different file context types
240       under the /var/log/mysql directory.  If you would  like  to  store  the
241       data  in a different directory you can use the semanage command to cre‐
242       ate an equivalence mapping.  If you wanted to store this data under the
243       /srv directory you would execute the following command:
244
245       semanage fcontext -a -e /var/log/mysql /srv/mysql
246       restorecon -R -v /srv/mysql
247
248       mysqld  policy  stores  data with multiple different file context types
249       under the /var/run/mysql directory.  If you would  like  to  store  the
250       data  in a different directory you can use the semanage command to cre‐
251       ate an equivalence mapping.  If you wanted to store this data under the
252       /srv directory you would execute the following command:
253
254       semanage fcontext -a -e /var/run/mysql /srv/mysql
255       restorecon -R -v /srv/mysql
256
257       STANDARD FILE CONTEXT
258
259       SELinux defines the file context types for the mysqld, if you wanted to
260       store files with these types in a diffent paths, you  need  to  execute
261       the  semanage  command  to  sepecify  alternate  labeling  and then use
262       restorecon to put the labels on disk.
263
264       semanage fcontext -a -t mysqld_tmp_t '/srv/mymysqld_content(/.*)?'
265       restorecon -R -v /srv/mymysqld_content
266
267       Note: SELinux often uses regular expressions  to  specify  labels  that
268       match multiple files.
269
270       The following file types are defined for mysqld:
271
272
273
274       mysqld_db_t
275
276       -  Set  files with the mysqld_db_t type, if you want to treat the files
277       as mysqld database content.
278
279
280
281       mysqld_etc_t
282
283       - Set files with the mysqld_etc_t type, if you  want  to  store  mysqld
284       files in the /etc directories.
285
286
287       Paths:
288            /etc/mysql(/.*)?, /etc/my.cnf.d(/.*)?, /etc/my.cnf
289
290
291       mysqld_exec_t
292
293       -  Set  files with the mysqld_exec_t type, if you want to transition an
294       executable to the mysqld_t domain.
295
296
297       Paths:
298            /usr/sbin/mysqld(-max|-debug)?,                    /usr/sbin/ndbd,
299            /usr/libexec/mysqld,                       /usr/bin/mysql_upgrade,
300            /usr/bin/mysqld_safe_helper
301
302
303       mysqld_home_t
304
305       - Set files with the mysqld_home_t type, if you want  to  store  mysqld
306       files in the users home directory.
307
308
309       Paths:
310            /root/.my.cnf, /home/[^/]+/.my.cnf
311
312
313       mysqld_initrc_exec_t
314
315       -  Set files with the mysqld_initrc_exec_t type, if you want to transi‐
316       tion an executable to the mysqld_initrc_t domain.
317
318
319
320       mysqld_log_t
321
322       - Set files with the mysqld_log_t type, if you want to treat  the  data
323       as mysqld log data, usually stored under the /var/log directory.
324
325
326       Paths:
327            /var/log/mysql.*, /var/log/mysql(/.*)?, /var/log/mariadb(/.*)?
328
329
330       mysqld_safe_exec_t
331
332       - Set files with the mysqld_safe_exec_t type, if you want to transition
333       an executable to the mysqld_safe_t domain.
334
335
336       Paths:
337            /usr/bin/mysqld_safe, /usr/libexec/mysqld_safe-scl-helper
338
339
340       mysqld_tmp_t
341
342       - Set files with the mysqld_tmp_t type, if you  want  to  store  mysqld
343       temporary files in the /tmp directories.
344
345
346
347       mysqld_unit_file_t
348
349       -  Set files with the mysqld_unit_file_t type, if you want to treat the
350       files as mysqld unit content.
351
352
353       Paths:
354            /usr/lib/systemd/system/mysqld.*,    /usr/lib/systemd/system/mari‐
355            adb.*
356
357
358       mysqld_var_run_t
359
360       -  Set  files  with the mysqld_var_run_t type, if you want to store the
361       mysqld files under the /run or /var/run directory.
362
363
364       Paths:
365            /var/run/mysql(/.*)?,    /var/run/mysqld(/.*)?,     /var/run/mari‐
366            adb(/.*)?, /var/lib/mysql/mysql.sock
367
368
369       Note:  File context can be temporarily modified with the chcon command.
370       If you want to permanently change the file context you need to use  the
371       semanage fcontext command.  This will modify the SELinux labeling data‐
372       base.  You will need to use restorecon to apply the labels.
373
374

COMMANDS

376       semanage fcontext can also be used to manipulate default  file  context
377       mappings.
378
379       semanage  permissive  can  also  be used to manipulate whether or not a
380       process type is permissive.
381
382       semanage module can also be used to enable/disable/install/remove  pol‐
383       icy modules.
384
385       semanage port can also be used to manipulate the port definitions
386
387       semanage boolean can also be used to manipulate the booleans
388
389
390       system-config-selinux is a GUI tool available to customize SELinux pol‐
391       icy settings.
392
393

AUTHOR

395       This manual page was auto-generated using sepolicy manpage .
396
397

SEE ALSO

399       selinux(8), mysqld(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
400       icy(8), setsebool(8), mysqld_safe_selinux(8)
401
402
403
404mysqld                             20-05-05                  mysqld_selinux(8)
Impressum