mysqld_selinux(8)

1mysqld_selinux(8)            SELinux Policy mysqld           mysqld_selinux(8)
2
3
4

NAME

6       mysqld_selinux  -  Security  Enhanced  Linux Policy for the mysqld pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  mysqld  processes  via  flexible
11       mandatory access control.
12
13       The  mysqld  processes  execute with the mysqld_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mysqld_t
20
21
22

ENTRYPOINTS

24       The  mysqld_t  SELinux  type  can be entered via the mysqld_exec_t file
25       type.
26
27       The default entrypoint paths for the mysqld_t domain are the following:
28
29       /usr/sbin/mysqld(-max|-debug)?,  /usr/sbin/ndbd,   /usr/libexec/mysqld,
30       /usr/libexec/mariadbd,   /usr/bin/mysql_upgrade,   /usr/bin/mariadb-up‐
31       grade, /usr/bin/mysqld_safe_helper, /usr/bin/mariadbd-safe-helper
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       mysqld policy is very flexible allowing users  to  setup  their  mysqld
41       processes in as secure a method as possible.
42
43       The following process types are defined for mysqld:
44
45       mysqld_t, mysqld_safe_t
46
47       Note:  semanage  permissive -a mysqld_t can be used to make the process
48       type mysqld_t permissive. SELinux does not deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access required.   mysqld
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run mysqld with the tightest access possible.
57
58
59
60       If you want to allow mysqld to connect to all ports, you must  turn  on
61       the mysql_connect_any boolean. Disabled by default.
62
63       setsebool -P mysql_connect_any 1
64
65
66
67       If  you  want to allow mysqld to connect to http port, you must turn on
68       the mysql_connect_http boolean. Disabled by default.
69
70       setsebool -P mysql_connect_http 1
71
72
73
74       If you want to determine whether exim can  connect  to  databases,  you
75       must turn on the exim_can_connect_db boolean. Disabled by default.
76
77       setsebool -P exim_can_connect_db 1
78
79
80
81       If you want to allow all domains to execute in fips_mode, you must turn
82       on the fips_mode boolean. Enabled by default.
83
84       setsebool -P fips_mode 1
85
86
87
88       If you want to determine whether ftpd can connect to databases over the
89       TCP  network, you must turn on the ftpd_connect_db boolean. Disabled by
90       default.
91
92       setsebool -P ftpd_connect_db 1
93
94
95
96       If you want to allow HTTPD scripts and modules to connect to  databases
97       over  the  network,  you  must turn on the httpd_can_network_connect_db
98       boolean. Disabled by default.
99
100       setsebool -P httpd_can_network_connect_db 1
101
102
103
104       If you want to allow confined applications to run  with  kerberos,  you
105       must turn on the kerberos_enabled boolean. Enabled by default.
106
107       setsebool -P kerberos_enabled 1
108
109
110
111       If  you  want  to  allow  system  to run with NIS, you must turn on the
112       nis_enabled boolean. Disabled by default.
113
114       setsebool -P nis_enabled 1
115
116
117
118       If you want to allow PowerDNS to connect to databases over the network,
119       you  must  turn on the pdns_can_network_connect_db boolean. Disabled by
120       default.
121
122       setsebool -P pdns_can_network_connect_db 1
123
124
125

PORT TYPES

127       SELinux defines port types to represent TCP and UDP ports.
128
129       You can see the types associated with a port  by  using  the  following
130       command:
131
132       semanage port -l
133
134
135       Policy  governs  the  access  confined  processes  have to these ports.
136       SELinux mysqld policy is very flexible allowing users  to  setup  their
137       mysqld processes in as secure a method as possible.
138
139       The following port types are defined for mysqld:
140
141
142       mysqld_port_t
143
144
145
146       Default Defined Ports:
147                 tcp 1186,3306,63132-63164
148

MANAGED FILES

150       The  SELinux  process  type  mysqld_t can manage files labeled with the
151       following file types.  The paths listed are the default paths for these
152       file types.  Note the processes UID still need to have DAC permissions.
153
154       cluster_conf_t
155
156            /etc/cluster(/.*)?
157
158       cluster_var_lib_t
159
160            /var/lib/pcsd(/.*)?
161            /var/lib/cluster(/.*)?
162            /var/lib/openais(/.*)?
163            /var/lib/pengine(/.*)?
164            /var/lib/corosync(/.*)?
165            /usr/lib/heartbeat(/.*)?
166            /var/lib/heartbeat(/.*)?
167            /var/lib/pacemaker(/.*)?
168
169       cluster_var_run_t
170
171            /var/run/crm(/.*)?
172            /var/run/cman_.*
173            /var/run/rsctmp(/.*)?
174            /var/run/aisexec.*
175            /var/run/heartbeat(/.*)?
176            /var/run/pcsd-ruby.socket
177            /var/run/corosync-qnetd(/.*)?
178            /var/run/corosync-qdevice(/.*)?
179            /var/run/corosync.pid
180            /var/run/cpglockd.pid
181            /var/run/rgmanager.pid
182            /var/run/cluster/rgmanager.sk
183
184       faillog_t
185
186            /var/log/btmp.*
187            /var/log/faillog.*
188            /var/log/tallylog.*
189            /var/run/faillock(/.*)?
190
191       hugetlbfs_t
192
193            /dev/hugepages
194            /usr/lib/udev/devices/hugepages
195
196       krb5_host_rcache_t
197
198            /var/tmp/krb5_0.rcache2
199            /var/cache/krb5rcache(/.*)?
200            /var/tmp/nfs_0
201            /var/tmp/DNS_25
202            /var/tmp/host_0
203            /var/tmp/imap_0
204            /var/tmp/HTTP_23
205            /var/tmp/HTTP_48
206            /var/tmp/ldap_55
207            /var/tmp/ldap_487
208            /var/tmp/ldapmap1_0
209
210       lastlog_t
211
212            /var/log/lastlog.*
213
214       mysqld_db_t
215
216            /var/lib/mysql(-files|-keyring)?(/.*)?
217
218       mysqld_log_t
219
220            /var/log/mysql.*
221            /var/log/mysql(/.*)?
222            /var/log/mariadb(/.*)?
223
224       mysqld_tmp_t
225
226
227       mysqld_var_run_t
228
229            /var/run/mysql(/.*)?
230            /var/run/mysqld(/.*)?
231            /var/run/mariadb(/.*)?
232            /var/lib/mysql/mysql.sock
233
234       root_t
235
236            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
237            /
238            /initrd
239
240       security_t
241
242            /selinux
243
244

FILE CONTEXTS

246       SELinux requires files to have an extended attribute to define the file
247       type.
248
249       You can see the context of a file using the -Z option to ls
250
251       Policy governs the access  confined  processes  have  to  these  files.
252       SELinux  mysqld  policy  is very flexible allowing users to setup their
253       mysqld processes in as secure a method as possible.
254
255       EQUIVALENCE DIRECTORIES
256
257
258       mysqld policy stores data with multiple different  file  context  types
259       under  the  /var/log/mysql  directory.   If you would like to store the
260       data in a different directory you can use the semanage command to  cre‐
261       ate an equivalence mapping.  If you wanted to store this data under the
262       /srv directory you would execute the following command:
263
264       semanage fcontext -a -e /var/log/mysql /srv/mysql
265       restorecon -R -v /srv/mysql
266
267       mysqld policy stores data with multiple different  file  context  types
268       under  the  /var/run/mysql  directory.   If you would like to store the
269       data in a different directory you can use the semanage command to  cre‐
270       ate an equivalence mapping.  If you wanted to store this data under the
271       /srv directory you would execute the following command:
272
273       semanage fcontext -a -e /var/run/mysql /srv/mysql
274       restorecon -R -v /srv/mysql
275
276       STANDARD FILE CONTEXT
277
278       SELinux defines the file context types for the mysqld, if you wanted to
279       store  files  with  these types in a diffent paths, you need to execute
280       the semanage command to specify alternate labeling  and  then  use  re‐
281       storecon to put the labels on disk.
282
283       semanage fcontext -a -t mysqld_tmp_t '/srv/mymysqld_content(/.*)?'
284       restorecon -R -v /srv/mymysqld_content
285
286       Note:  SELinux  often  uses  regular expressions to specify labels that
287       match multiple files.
288
289       The following file types are defined for mysqld:
290
291
292
293       mysqld_db_t
294
295       - Set files with the mysqld_db_t type, if you want to treat  the  files
296       as mysqld database content.
297
298
299
300       mysqld_etc_t
301
302       -  Set  files  with  the mysqld_etc_t type, if you want to store mysqld
303       files in the /etc directories.
304
305
306       Paths:
307            /etc/mysql(/.*)?, /etc/my.cnf.d(/.*)?, /etc/my.cnf
308
309
310       mysqld_exec_t
311
312       - Set files with the mysqld_exec_t type, if you want to  transition  an
313       executable to the mysqld_t domain.
314
315
316       Paths:
317            /usr/sbin/mysqld(-max|-debug)?,                    /usr/sbin/ndbd,
318            /usr/libexec/mysqld,   /usr/libexec/mariadbd,   /usr/bin/mysql_up‐
319            grade,    /usr/bin/mariadb-upgrade,   /usr/bin/mysqld_safe_helper,
320            /usr/bin/mariadbd-safe-helper
321
322
323       mysqld_home_t
324
325       - Set files with the mysqld_home_t type, if you want  to  store  mysqld
326       files in the users home directory.
327
328
329       Paths:
330            /root/.my.cnf, /home/[^/]+/.my.cnf
331
332
333       mysqld_initrc_exec_t
334
335       -  Set files with the mysqld_initrc_exec_t type, if you want to transi‐
336       tion an executable to the mysqld_initrc_t domain.
337
338
339
340       mysqld_log_t
341
342       - Set files with the mysqld_log_t type, if you want to treat  the  data
343       as mysqld log data, usually stored under the /var/log directory.
344
345
346       Paths:
347            /var/log/mysql.*, /var/log/mysql(/.*)?, /var/log/mariadb(/.*)?
348
349
350       mysqld_safe_exec_t
351
352       - Set files with the mysqld_safe_exec_t type, if you want to transition
353       an executable to the mysqld_safe_t domain.
354
355
356       Paths:
357            /usr/bin/mysqld_safe,                      /usr/bin/mariadbd-safe,
358            /usr/libexec/mysqld_safe-scl-helper
359
360
361       mysqld_tmp_t
362
363       -  Set  files  with  the mysqld_tmp_t type, if you want to store mysqld
364       temporary files in the /tmp directories.
365
366
367
368       mysqld_unit_file_t
369
370       - Set files with the mysqld_unit_file_t type, if you want to treat  the
371       files as mysqld unit content.
372
373
374       Paths:
375            /usr/lib/systemd/system/mysqld.*,    /usr/lib/systemd/system/mari‐
376            adb.*
377
378
379       mysqld_var_run_t
380
381       - Set files with the mysqld_var_run_t type, if you want  to  store  the
382       mysqld files under the /run or /var/run directory.
383
384
385       Paths:
386            /var/run/mysql(/.*)?,     /var/run/mysqld(/.*)?,    /var/run/mari‐
387            adb(/.*)?, /var/lib/mysql/mysql.sock
388
389
390       Note: File context can be temporarily modified with the chcon  command.
391       If  you want to permanently change the file context you need to use the
392       semanage fcontext command.  This will modify the SELinux labeling data‐
393       base.  You will need to use restorecon to apply the labels.
394
395

COMMANDS

397       semanage  fcontext  can also be used to manipulate default file context
398       mappings.
399
400       semanage permissive can also be used to manipulate  whether  or  not  a
401       process type is permissive.
402
403       semanage  module can also be used to enable/disable/install/remove pol‐
404       icy modules.
405
406       semanage port can also be used to manipulate the port definitions
407
408       semanage boolean can also be used to manipulate the booleans
409
410
411       system-config-selinux is a GUI tool available to customize SELinux pol‐
412       icy settings.
413
414

AUTHOR

416       This manual page was auto-generated using sepolicy manpage .
417
418