[CentOS] Unable to apply mysqld_db_t to mysql directory

Mon Oct 23 18:18:49 UTC 2017
Bernard Fay <bernard.fay at gmail.com>

Thanks, I managed to fix /var/lib/mysql

# ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql

To fix it, I tried:
semanage fcontext -d -e /var/lib/mysql
this command returned:
KeyError: /var/lib/mysql
I tried restorecon anyway:
restorecon -Rv /var/lib/mysql
But not better:
ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql

So I did the following:
semanage fcontext -d -t var_lib_t /var/lib/mysql
It started to look better:
ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql
Then I ran restorecon
restorecon -Rv /var/lib/mysql
I got a lot of :
restorecon reset /var/lib/mysql/...

And then I got the proper context on /var/lib/mysql.


I think there are still many things I do not understand about SELinux.

I thought the equivalence thing I did with the command below was going to
assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously not!
semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql


I still have the following equivalence:
# semanage fcontext -lC
SELinux fcontext                                   type
Context

/home/users(/.*)?                                  all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql                                     all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)?                               all files
system_u:object_r:mysqld_db_t:s0

SELinux Local fcontext Equivalence

./mysql = ./mysql.old
mysql = ./mysql.old


Should I be worried about those two equivalence?


Thanks,
Bernard


On Mon, Oct 23, 2017 at 1:41 PM, James Hogarth <james.hogarth at gmail.com>
wrote:

> On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard.fay at gmail.com> wrote:
>
> Interesting to see the Equivalence. As a first thing, I tried:
>
> semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
> then
> restorecon -R /var/lib/mysql
>
>
> # semanage fcontext -lC
> SELinux fcontext                                   type
> Context
>
> /home/users(/.*)?                                  all files
> system_u:object_r:user_home_dir_t:s0
> /var/lib/mysql                                     all files
> system_u:object_r:mysqld_db_t:s0
> /var/lib/mysql(/.*)?                               all files
> system_u:object_r:mysqld_db_t:s0
>
> SELinux Local fcontext Equivalence
>
> ./mysql = ./mysql.old
> /var/lib/mysql = /var/lib/mysql.old
> mysql = ./mysql.old
>
>
>
>
> On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hogarth at gmail.com>
> wrote:
>
> > On 23 October 2017 at 13:33, Bernard Fay <bernard.fay at gmail.com> wrote:
> > > Hello,
> > >
> > > A server was configured in /var/lib/myslq in the root fs.  I added a LV
> > > specifically for mysql.  I stopped myql and renamed /var/lib/mysql to
> > > /var/lib/mysql.old.  I created a new dir /var/lib/mysql and mounted the
> > LV
> > > on /var/lib/mysql.  I then copied with "cp -prZ" all mysql files in
> > > /var/lib/mysql.old to /var/lib/mysql.
> > >
> > > But then I got a selinux problem:
> > > # ls -ldZ mysql.old/ mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> > >
> > > I tried to changed the context on mysql with the following commands:
> > >
> > > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
> > > # restorecon -R -v /var/lib/mysql
> > >
> > > But the /var/lib/mysql directory didn't take the change as you can see
> > > below:
> > > # ls -ldZ mysql.old/ mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> > >
> > >
> > > How can I fix the wrong context on mysql directory?
> > > Thanks,
> > >
> >
> > /var/lib/mysql is already in default policy - no need to add anything
> there
> >
> > can you please provide the output of 'semanage fcontext -lC' so that
> > we can see any local selinux modifications made?
> >
> > From base policy with nothing added, for that directory, you *should*
> > be able to just restorecon -Rv /var/lib/mysql and have the correct
> > labelling.
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
> The equivalence is what has broken things for you then.
>
> Remember that the source of Truth for labels don't follow the files
> themselves.
>
> Looking at that it appears you told selinux that your local config should
> have /var/lib/mysql match /var/lib/mysql.old ... note well the ordering
> there.
>
> The system policy for the latter will inherit from /var/lib as mysql.old is
> not a directory that is in the normal config.
>
> This "local config" making /var/lib/mysql in the policy match
> /var/lib/mysql.old is now overriding the default system config ... which is
> why restorecon is setting it to var_lib_t and not the mysql type.
>
> If you restorecon on /var/lib/mysql.old this will be evident.
>
> The fix is to semanage fcontext -d -e /var/lib/mysql to remove that
> incorrect local equivalence overriding base policy and then to restorecon
> -Rv /var/lib/mysql to put in place the correct labels.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>