On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard.fay@xxxxxxxxx> wrote:
Interesting to see the Equivalence. As a first thing, I tried:
semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
then
restorecon -R /var/lib/mysql
# semanage fcontext -lC
SELinux fcontext type
Context
/home/users(/.*)? all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)? all files
system_u:object_r:mysqld_db_t:s0
SELinux Local fcontext Equivalence
./mysql = ./mysql.old
/var/lib/mysql = /var/lib/mysql.old
mysql = ./mysql.old
On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hogarth@xxxxxxxxx>
wrote:
> On 23 October 2017 at 13:33, Bernard Fay <bernard.fay@xxxxxxxxx> wrote:
> > Hello,
> >
> > A server was configured in /var/lib/myslq in the root fs. I added a LV
> > specifically for mysql. I stopped myql and renamed /var/lib/mysql to
> > /var/lib/mysql.old. I created a new dir /var/lib/mysql and mounted the
> LV
> > on /var/lib/mysql. I then copied with "cp -prZ" all mysql files in
> > /var/lib/mysql.old to /var/lib/mysql.
> >
> > But then I got a selinux problem:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> > I tried to changed the context on mysql with the following commands:
> >
> > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
> > # restorecon -R -v /var/lib/mysql
> >
> > But the /var/lib/mysql directory didn't take the change as you can see
> > below:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> >
> > How can I fix the wrong context on mysql directory?
> > Thanks,
> >
>
> /var/lib/mysql is already in default policy - no need to add anything
there
>
> can you please provide the output of 'semanage fcontext -lC' so that
> we can see any local selinux modifications made?
>
> From base policy with nothing added, for that directory, you *should*
> be able to just restorecon -Rv /var/lib/mysql and have the correct
> labelling.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
The equivalence is what has broken things for you then.
Remember that the source of Truth for labels don't follow the files
themselves.
Looking at that it appears you told selinux that your local config should
have /var/lib/mysql match /var/lib/mysql.old ... note well the ordering
there.
The system policy for the latter will inherit from /var/lib as mysql.old is
not a directory that is in the normal config.
This "local config" making /var/lib/mysql in the policy match
/var/lib/mysql.old is now overriding the default system config ... which is
why restorecon is setting it to var_lib_t and not the mysql type.
If you restorecon on /var/lib/mysql.old this will be evident.
The fix is to semanage fcontext -d -e /var/lib/mysql to remove that
incorrect local equivalence overriding base policy and then to restorecon
-Rv /var/lib/mysql to put in place the correct labels.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
