Configuring SELinux for MySQL: Managing Access Controls and Directory Contexts

To improve Linux system security, administrators often use SELinux or AppArmor for mandatory access control (MAC). When MySQL runs under SELinux, default configurations usually work, but changing the data directory or listening port can cause SELinux to block MySQL, preventing it from starting. This article introduces the impact of SELinux on MySQL.

1. Introduction

SELinux (Secure Enhanced Linux) is a kernel‑level security mechanism integrated into the Linux kernel since version 2.6. It allows administrators to define fine‑grained access controls, denying any access that is not explicitly permitted.

SELinux operates in three modes:

enforcing – violations are blocked and logged.

permissive – violations are only logged.

disabled – SELinux is turned off.

Use getenforce to display the current mode. Change the mode with setenforce 0 (permissive) or setenforce 1 (enforcing). To make the change persistent, edit /etc/selinux/config and set the SELINUX variable to enforcing , permissive or disabled .

Check SELinux status with:

[root@redhat7 ~]# sestatus
SELinux status:               enabled
SELinuxfs mount:              /sys/fs/selinux
SELinux root directory:       /etc/selinux
Loaded policy name:           targeted
Current mode:                 enforcing
Mode from config file:       enforcing
Policy MLS status:            enabled
Policy deny_unknown status:   allowed
Max kernel policy version:    28

2. Viewing MySQL SELinux Context

Show the SELinux context of the mysqld process with:

[root@redhat7 ~]# ps -eZ | grep mysqld
system_u:system_r:mysqld_t:s0    2381 ?        00:01:00 mysqld

Show the SELinux context of the MySQL data directory with:

[root@redhat7 ~]# ls -dZ /var/lib/mysql
drwxr-x--x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql

Explanation of fields:

system_u – SELinux user for system processes and objects.

system_r – SELinux role for system processes.

object_r – SELinux role for system objects.

mysqld_t – SELinux type for the mysqld process.

mysqld_db_t – SELinux type for the MySQL data directory.

3. Modifying Access Control for the MySQL Data Directory

If the data directory is moved from the default /var/lib/mysql , SELinux will block mysqld, causing the server to fail to start. The denial messages are recorded in /var/log/audit/audit.log :

# grep mysql /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1609212427.622:104): avc:  denied  { write } for pid=2218 comm="mysqld" name="data" ...

Instead of disabling SELinux, add the new directory to the mysqld_db_t type:

# semanage fcontext -a -t mysqld_db_t "/disk1/data(/.*)?"
# restorecon -Rv /disk1/data

Verify the addition:

# semanage fcontext -l | grep mysqld_db_t
/var/lib/mysql(/.*)?               all files   system_u:object_r:mysqld_db_t:s0
/disk1/data(/.*)?                  all files   system_u:object_r:mysqld_db_t:s0

After restoring the context, restart mysqld and it will start successfully.

4. Modifying Access Control for Other MySQL Objects

Similar steps can be used to label other MySQL objects:

# semanage fcontext -a -t mysqld_log_t "/path/to/my/custom/error.log"
restorecon -Rv /path/to/my/custom/error.log

# semanage fcontext -a -t mysqld_var_run_t "/path/to/my/custom/pidfile/directory/.*?"
restorecon -Rv /path/to/my/custom/pidfile/directory

# semanage port -a -t mysqld_port_t -p tcp 3307

These commands add SELinux types for the error log, PID file, and a custom TCP port, allowing MySQL to operate securely with the new resources.