mysqld_selinux(8)

1mysqld_selinux(8)            SELinux Policy mysqld           mysqld_selinux(8)
2
3
4

NAME

6       mysqld_selinux  -  Security  Enhanced  Linux Policy for the mysqld pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  mysqld  processes  via  flexible
11       mandatory access control.
12
13       The  mysqld  processes  execute with the mysqld_t SELinux type. You can
14       check if you have these processes running by executing the  ps  command
15       with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep mysqld_t
20
21
22

ENTRYPOINTS

24       The  mysqld_t  SELinux  type  can be entered via the mysqld_exec_t file
25       type.
26
27       The default entrypoint paths for the mysqld_t domain are the following:
28
29       /usr/sbin/mysqld(-max|-debug)?,   /usr/sbin/ndbd,   /usr/sbin/mariadbd,
30       /usr/libexec/mysqld,   /usr/libexec/mariadbd,   /usr/bin/mysql_upgrade,
31       /usr/bin/mariadb-upgrade,  /usr/bin/mysqld_safe_helper,  /usr/bin/mari‐
32       adbd-safe-helper
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       mysqld  policy  is  very  flexible allowing users to setup their mysqld
42       processes in as secure a method as possible.
43
44       The following process types are defined for mysqld:
45
46       mysqld_t, mysqld_safe_t
47
48       Note: semanage permissive -a mysqld_t can be used to make  the  process
49       type  mysqld_t  permissive.  SELinux does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux  policy is customizable based on least access required.  mysqld
56       policy is extremely flexible and has several booleans that allow you to
57       manipulate the policy and run mysqld with the tightest access possible.
58
59
60
61       If  you  want to allow mysqld to connect to all ports, you must turn on
62       the mysql_connect_any boolean. Disabled by default.
63
64       setsebool -P mysql_connect_any 1
65
66
67
68       If you want to allow mysqld to connect to http port, you must  turn  on
69       the mysql_connect_http boolean. Disabled by default.
70
71       setsebool -P mysql_connect_http 1
72
73
74
75       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
76       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
77       Enabled by default.
78
79       setsebool -P daemons_dontaudit_scheduling 1
80
81
82
83       If  you  want  to  determine whether exim can connect to databases, you
84       must turn on the exim_can_connect_db boolean. Disabled by default.
85
86       setsebool -P exim_can_connect_db 1
87
88
89
90       If you want to allow all domains to execute in fips_mode, you must turn
91       on the fips_mode boolean. Enabled by default.
92
93       setsebool -P fips_mode 1
94
95
96
97       If you want to determine whether ftpd can connect to databases over the
98       TCP network, you must turn on the ftpd_connect_db boolean. Disabled  by
99       default.
100
101       setsebool -P ftpd_connect_db 1
102
103
104
105       If  you want to allow HTTPD scripts and modules to connect to databases
106       over the network, you must  turn  on  the  httpd_can_network_connect_db
107       boolean. Disabled by default.
108
109       setsebool -P httpd_can_network_connect_db 1
110
111
112
113       If  you  want  to allow confined applications to run with kerberos, you
114       must turn on the kerberos_enabled boolean. Enabled by default.
115
116       setsebool -P kerberos_enabled 1
117
118
119
120       If you want to allow system to run with  NIS,  you  must  turn  on  the
121       nis_enabled boolean. Disabled by default.
122
123       setsebool -P nis_enabled 1
124
125
126
127       If you want to allow PowerDNS to connect to databases over the network,
128       you must turn on the pdns_can_network_connect_db boolean.  Disabled  by
129       default.
130
131       setsebool -P pdns_can_network_connect_db 1
132
133
134

PORT TYPES

136       SELinux defines port types to represent TCP and UDP ports.
137
138       You  can  see  the  types associated with a port by using the following
139       command:
140
141       semanage port -l
142
143
144       Policy governs the access  confined  processes  have  to  these  ports.
145       SELinux  mysqld  policy  is very flexible allowing users to setup their
146       mysqld processes in as secure a method as possible.
147
148       The following port types are defined for mysqld:
149
150
151       mysqld_port_t
152
153
154
155       Default Defined Ports:
156                 tcp 1186,3306,63132-63164
157

MANAGED FILES

159       The SELinux process type mysqld_t can manage  files  labeled  with  the
160       following file types.  The paths listed are the default paths for these
161       file types.  Note the processes UID still need to have DAC permissions.
162
163       cluster_conf_t
164
165            /etc/cluster(/.*)?
166
167       cluster_var_lib_t
168
169            /var/lib/pcsd(/.*)?
170            /var/lib/cluster(/.*)?
171            /var/lib/openais(/.*)?
172            /var/lib/pengine(/.*)?
173            /var/lib/corosync(/.*)?
174            /usr/lib/heartbeat(/.*)?
175            /var/lib/heartbeat(/.*)?
176            /var/lib/pacemaker(/.*)?
177
178       cluster_var_run_t
179
180            /var/run/crm(/.*)?
181            /var/run/cman_.*
182            /var/run/rsctmp(/.*)?
183            /var/run/aisexec.*
184            /var/run/heartbeat(/.*)?
185            /var/run/pcsd-ruby.socket
186            /var/run/corosync-qnetd(/.*)?
187            /var/run/corosync-qdevice(/.*)?
188            /var/run/corosync.pid
189            /var/run/cpglockd.pid
190            /var/run/rgmanager.pid
191            /var/run/cluster/rgmanager.sk
192
193       faillog_t
194
195            /var/log/btmp.*
196            /var/log/faillog.*
197            /var/log/tallylog.*
198            /var/run/faillock(/.*)?
199
200       hugetlbfs_t
201
202            /dev/hugepages
203            /usr/lib/udev/devices/hugepages
204
205       krb5_host_rcache_t
206
207            /var/tmp/krb5_0.rcache2
208            /var/cache/krb5rcache(/.*)?
209            /var/tmp/nfs_0
210            /var/tmp/DNS_25
211            /var/tmp/host_0
212            /var/tmp/imap_0
213            /var/tmp/HTTP_23
214            /var/tmp/HTTP_48
215            /var/tmp/ldap_55
216            /var/tmp/ldap_487
217            /var/tmp/ldapmap1_0
218
219       lastlog_t
220
221            /var/log/lastlog.*
222
223       mysqld_db_t
224
225            /var/lib/mysql(-files|-keyring)?(/.*)?
226
227       mysqld_log_t
228
229            /var/log/mysql.*
230            /var/log/mysql(/.*)?
231            /var/log/mariadb(/.*)?
232
233       mysqld_tmp_t
234
235
236       mysqld_var_run_t
237
238            /var/run/mysql(/.*)?
239            /var/run/mysqld(/.*)?
240            /var/run/mariadb(/.*)?
241            /var/lib/mysql/mysql.sock
242
243       root_t
244
245            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
246            /
247            /initrd
248
249       security_t
250
251            /selinux
252
253

FILE CONTEXTS

255       SELinux requires files to have an extended attribute to define the file
256       type.
257
258       You can see the context of a file using the -Z option to ls
259
260       Policy  governs  the  access  confined  processes  have to these files.
261       SELinux mysqld policy is very flexible allowing users  to  setup  their
262       mysqld processes in as secure a method as possible.
263
264       EQUIVALENCE DIRECTORIES
265
266
267       mysqld  policy  stores  data with multiple different file context types
268       under the /var/log/mysql directory.  If you would  like  to  store  the
269       data  in a different directory you can use the semanage command to cre‐
270       ate an equivalence mapping.  If you wanted to store this data under the
271       /srv directory you would execute the following command:
272
273       semanage fcontext -a -e /var/log/mysql /srv/mysql
274       restorecon -R -v /srv/mysql
275
276       mysqld  policy  stores  data with multiple different file context types
277       under the /var/run/mysql directory.  If you would  like  to  store  the
278       data  in a different directory you can use the semanage command to cre‐
279       ate an equivalence mapping.  If you wanted to store this data under the
280       /srv directory you would execute the following command:
281
282       semanage fcontext -a -e /var/run/mysql /srv/mysql
283       restorecon -R -v /srv/mysql
284
285       STANDARD FILE CONTEXT
286
287       SELinux defines the file context types for the mysqld, if you wanted to
288       store files with these types in a different paths, you need to  execute
289       the  semanage  command  to  specify alternate labeling and then use re‐
290       storecon to put the labels on disk.
291
292       semanage fcontext -a -t mysqld_exec_t '/srv/mysqld/content(/.*)?'
293       restorecon -R -v /srv/mymysqld_content
294
295       Note: SELinux often uses regular expressions  to  specify  labels  that
296       match multiple files.
297
298       The following file types are defined for mysqld:
299
300
301
302       mysqld_db_t
303
304       -  Set  files with the mysqld_db_t type, if you want to treat the files
305       as mysqld database content.
306
307
308
309       mysqld_etc_t
310
311       - Set files with the mysqld_etc_t type, if you  want  to  store  mysqld
312       files in the /etc directories.
313
314
315       Paths:
316            /etc/mysql(/.*)?, /etc/my.cnf.d(/.*)?, /etc/my.cnf
317
318
319       mysqld_exec_t
320
321       -  Set  files with the mysqld_exec_t type, if you want to transition an
322       executable to the mysqld_t domain.
323
324
325       Paths:
326            /usr/sbin/mysqld(-max|-debug)?,  /usr/sbin/ndbd,   /usr/sbin/mari‐
327            adbd,          /usr/libexec/mysqld,         /usr/libexec/mariadbd,
328            /usr/bin/mysql_upgrade,                  /usr/bin/mariadb-upgrade,
329            /usr/bin/mysqld_safe_helper, /usr/bin/mariadbd-safe-helper
330
331
332       mysqld_home_t
333
334       -  Set  files  with the mysqld_home_t type, if you want to store mysqld
335       files in the users home directory.
336
337
338       Paths:
339            /root/.my.cnf, /home/[^/]+/.my.cnf
340
341
342       mysqld_initrc_exec_t
343
344       - Set files with the mysqld_initrc_exec_t type, if you want to  transi‐
345       tion an executable to the mysqld_initrc_t domain.
346
347
348
349       mysqld_log_t
350
351       -  Set  files with the mysqld_log_t type, if you want to treat the data
352       as mysqld log data, usually stored under the /var/log directory.
353
354
355       Paths:
356            /var/log/mysql.*, /var/log/mysql(/.*)?, /var/log/mariadb(/.*)?
357
358
359       mysqld_safe_exec_t
360
361       - Set files with the mysqld_safe_exec_t type, if you want to transition
362       an executable to the mysqld_safe_t domain.
363
364
365       Paths:
366            /usr/bin/mysqld_safe,                      /usr/bin/mariadbd-safe,
367            /usr/libexec/mysqld_safe-scl-helper
368
369
370       mysqld_tmp_t
371
372       - Set files with the mysqld_tmp_t type, if you  want  to  store  mysqld
373       temporary files in the /tmp directories.
374
375
376
377       mysqld_unit_file_t
378
379       -  Set files with the mysqld_unit_file_t type, if you want to treat the
380       files as mysqld unit content.
381
382
383       Paths:
384            /usr/lib/systemd/system/mysqld.*,    /usr/lib/systemd/system/mari‐
385            adb.*
386
387
388       mysqld_var_run_t
389
390       -  Set  files  with the mysqld_var_run_t type, if you want to store the
391       mysqld files under the /run or /var/run directory.
392
393
394       Paths:
395            /var/run/mysql(/.*)?,    /var/run/mysqld(/.*)?,     /var/run/mari‐
396            adb(/.*)?, /var/lib/mysql/mysql.sock
397
398
399       Note:  File context can be temporarily modified with the chcon command.
400       If you want to permanently change the file context you need to use  the
401       semanage fcontext command.  This will modify the SELinux labeling data‐
402       base.  You will need to use restorecon to apply the labels.
403
404

COMMANDS

406       semanage fcontext can also be used to manipulate default  file  context
407       mappings.
408
409       semanage  permissive  can  also  be used to manipulate whether or not a
410       process type is permissive.
411
412       semanage module can also be used to enable/disable/install/remove  pol‐
413       icy modules.
414
415       semanage port can also be used to manipulate the port definitions
416
417       semanage boolean can also be used to manipulate the booleans
418
419
420       system-config-selinux is a GUI tool available to customize SELinux pol‐
421       icy settings.
422
423

AUTHOR

425       This manual page was auto-generated using sepolicy manpage .
426
427