Brand new \"minimal\" install of CentOS 7 along with MariaDB 10. I have an additional mounted mirrored volume that I want to use for the datadir. Startup sequence is fine and co
I found this step by step guide working for me: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-MariaDB-Configuration_Examples.html
You must install: yum install policycoreutils-python
Guide:
View the SELinux context of the default database location for mysql:
~]# ls -lZ /var/lib/mysql
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
This shows mysqld_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
Stop the mysqld daemon:
~]# systemctl stop mariadb.service
Create a new directory for the new location of the database(s). In this example, /mysql/ is used:
~]# mkdir -p /mysql
Copy the database files from the old location to the new location:
~]# cp -R /var/lib/mysql/* /mysql/
Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe:
~]# chown -R mysql:mysql /mysql
Run the following command to see the initial context of the new directory:
~]# ls -lZ /mysql
drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0 mysql
The context usr_t of this newly created directory is not currently suitable to SELinux as a location for MariaDB database files. Once the context has been changed, MariaDB will be able to function properly in this area.
Open the main MariaDB configuration file /etc/my.cnf with a text editor and modify the datadir option so that it refers to the new location. In this example the value that should be entered is /mysql:
[mysqld]
datadir=/mysql
Save this file and exit.
Start mysqld. The service should fail to start, and a denial message will be logged to the /var/log/messages file:
~]# systemctl start mariadb.service
Job for mariadb.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.
However, if the audit daemon is running and with him the setroubleshoot service, the denial will be logged to the /var/log/audit/audit.log file instead: SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71
The reason for this denial is that /mysql/ is not labeled correctly for MariaDB data files. SELinux is stopping MariaDB from having access to the content labeled as usr_t. Perform the following steps to resolve this problem:
Run the following command to add a context mapping for /mysql/. Note that the semanageutility is not installed by default. If it missing on your system, install the policycoreutils-pythonpackage.
**~]# semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"**
This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:
~]# grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local
/mysql(/.*)? system_u:object_r:mysqld_db_t:s0
Now use the restorecon utility to apply this context mapping to the running system:
**~]# restorecon -R -v /mysql**
Now that the /mysql/ location has been labeled with the correct context for MariaDB, mysqldstarts:
~]# systemctl start mariadb.service
Confirm the context has changed for /mysql/:
~]$ ls -lZ /mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
The location has been changed and labeled, and mysqld has started successfully. At this point all running services should be tested to confirm normal operation.