The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with
mysql. Different types allow you to configure flexible access:
This type is used for the location of the MySQL database. In Red Hat Enterprise Linux, the default location for the database is
/var/lib/mysql/, however this can be changed. If the location for the MySQL database is changed, the new location must be labeled with this type. Refer to the following example for instructions on how to change the default database location and how to label the new section appropriately.
This type is used for the MySQL main configuration file
/etc/my.cnf and any other configuration files in the
This type is used for the
mysqld binary located at
/usr/libexec/mysqld, which is the default location for the MySQL binary on Red Hat Enterprise Linux. Other systems may locate this binary at
/usr/sbin/mysqld which should also be labeled with this type.
This type is used for the initialization file for MySQL, located at
/etc/rc.d/init.d/mysqld by default in Red Hat Enterprise Linux.
Logs for MySQL need to be labeled with this type for proper operation. All log files in
/var/log/ matching the
mysql.* wildcard must be labeled with this type.
This type is used by files in
/var/run/mysqld/, specifically the process id (PID) named
/var/run/mysqld/mysqld.pid which is created by the
mysqld daemon when it runs. This type is also used for related socket files such as
/var/lib/mysql/mysql.sock. Files such as these must be labeled correctly for proper operation as a confined service.