I'm sure you've seen this before:
You need to slightly tweak the default installation of a major daemon - let's say you're running a big MySQL database and you need to put it on a different filesystem, mounted (for example) as /db So you move /var/lib/mysql to /db/mysql (and preserve all the file attributes, including SELinux), change /etc/my.cnf accordingly, start mysqld - and it doesn't work. It turns out you need to tweak SELinux - test the daemon, run audit2allow on the audit log, tweak the policy, test again, repeat until it works.
I did this many times, but it strikes me as an inefficient process. Sure, you only do it once per install, but still.
I wish there was a simple way to tell SELinux "I moved the MySQL datadir (or the Squid cache dir, or the Cyrus-IMAPd spool) to this new location, but everything else stays the same, please stop bugging me."
Any ideas?
Florin Andrei wrote:
I wish there was a simple way to tell SELinux "I moved the MySQL datadir (or the Squid cache dir, or the Cyrus-IMAPd spool) to this new location, but everything else stays the same, please stop bugging me."
I think I figured out something:
In the particular case of moving /var/lib/mysql to the separate filesystem /db, it's enough to mount /db with the same SELinux context like /var:
mount -o defcontext=system_u:object_r:var_t /db
# ls -Z / | grep -e var -e db | grep -v srv drwxr-xr-x root root system_u:object_r:var_t db drwxr-xr-x root root system_u:object_r:var_t var
Then, if /db/mysql is created with the same SELinux attributes like /var/lib/mysql (and all its content too), then SELinux appears to stop complaining about mysqld.
Florin Andrei wrote:
In the particular case of moving /var/lib/mysql to the separate filesystem /db, it's enough to mount /db with the same SELinux context like /var:
mount -o defcontext=system_u:object_r:var_t /db
Actually, in /etc/fstab you have to append a :s0 otherwise it won't mount automatically at boot:
LABEL=/db /db ext3 defcontext=system_u:object_r:var_t:s0 1 2
-
Florin Andrei