[CentOS] Moving Mysql data directory denied by selinux?

Jim Perrin jperrin at gmail.com
Tue Oct 10 12:49:05 UTC 2006

> Now normally I just move /var/lib/mysql to /home/mysql and symlink it.

Um... why? This seems like it would be more trouble than it's worth.
and with the symlink, I don't see the benefit.

> SELinux complains with
> Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc:  denied
> { read } for  pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340
> scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t
> tclass=lnk_file

Correct. It has permission to access the directory where your symlink
is, but it cannot follow it.

> Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf

This is really how you should move the data directory anyway. Faking
it as you were doing works, but it's not 'proper'.

> Now SELinux complains with
> Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc:  denied
> { search } for  pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2
> scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t
> tclass=dir

Correct, because now mysql doesn't have the proper context to be in
/home/ poking around.

> WHY is mysqld trying to read / when I told it to use /home/mysql ?

Because you have to get to / before you can get to /home/ and
/home/mysql.. Directory traversal vulnerabilities are quite
commonplace, which is why you see all the
$DOCUMENT_ROOT/../../../etc/somedir/ type attempts in logs
occasionally for things like apache.

> BTW, here is the security contexts on /home/mysql
> # ls -laZ /home/
> drwxr-xr-x  mysql    mysql    system_u:object_r:mysqld_db_t    mysql

I'm still questioning the logic for moving mysql.

> Can anyone please shed some light on this for me?
> What exactly is the avc message telling me and how do I fix it?

During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

More information about the CentOS mailing list