[CentOS] Moving Mysql data directory denied by selinux?
Jim Perrin
jperrin at gmail.com
Tue Oct 10 12:49:05 UTC 2006
> Now normally I just move /var/lib/mysql to /home/mysql and symlink it.
Um... why? This seems like it would be more trouble than it's worth.
and with the symlink, I don't see the benefit.
> SELinux complains with
> Oct 10 21:21:59 intspare kernel: audit(1160479319.080:2): avc: denied
> { read } for pid=15784 comm="mysqld" name="mysql" dev=dm-0 ino=1230340
> scontext=root:system_r:mysqld_t tcontext=root:object_r:var_lib_t
> tclass=lnk_file
Correct. It has permission to access the directory where your symlink
is, but it cannot follow it.
> Ok, I guess it doesnt like following symlinks so instead I edited /etc/my.cnf
This is really how you should move the data directory anyway. Faking
it as you were doing works, but it's not 'proper'.
> Now SELinux complains with
> Oct 10 22:04:27 intspare kernel: audit(1160481867.663:2): avc: denied
> { search } for pid=3073 comm="mysqld" name="/" dev=dm-1 ino=2
> scontext=user_u:system_r:mysqld_t tcontext=system_u:object_r:home_root_t
> tclass=dir
Correct, because now mysql doesn't have the proper context to be in
/home/ poking around.
> WHY is mysqld trying to read / when I told it to use /home/mysql ?
Because you have to get to / before you can get to /home/ and
/home/mysql.. Directory traversal vulnerabilities are quite
commonplace, which is why you see all the
$DOCUMENT_ROOT/../../../etc/somedir/ type attempts in logs
occasionally for things like apache.
> BTW, here is the security contexts on /home/mysql
> # ls -laZ /home/
> drwxr-xr-x mysql mysql system_u:object_r:mysqld_db_t mysql
I'm still questioning the logic for moving mysql.
> Can anyone please shed some light on this for me?
>
> What exactly is the avc message telling me and how do I fix it?
>
--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
More information about the CentOS
mailing list