Thanks, I managed to fix /var/lib/mysql # ls -ldZ /var/lib/mysql drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql To fix it, I tried: semanage fcontext -d -e /var/lib/mysql this command returned: KeyError: /var/lib/mysql I tried restorecon anyway: restorecon -Rv /var/lib/mysql But not better: ls -ldZ /var/lib/mysql drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 /var/lib/mysql So I did the following: semanage fcontext -d -t var_lib_t /var/lib/mysql It started to look better: ls -ldZ /var/lib/mysql drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 /var/lib/mysql Then I ran restorecon restorecon -Rv /var/lib/mysql I got a lot of : restorecon reset /var/lib/mysql/... And then I got the proper context on /var/lib/mysql. I think there are still many things I do not understand about SELinux. I thought the equivalence thing I did with the command below was going to assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously not! semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql I still have the following equivalence: # semanage fcontext -lC SELinux fcontext type Context /home/users(/.*)? all files system_u:object_r:user_home_dir_t:s0 /var/lib/mysql all files system_u:object_r:mysqld_db_t:s0 /var/lib/mysql(/.*)? all files system_u:object_r:mysqld_db_t:s0 SELinux Local fcontext Equivalence ./mysql = ./mysql.old mysql = ./mysql.old Should I be worried about those two equivalence? Thanks, Bernard On Mon, Oct 23, 2017 at 1:41 PM, James Hogarth <james.hogarth@xxxxxxxxx> wrote: > On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard.fay@xxxxxxxxx> wrote: > > Interesting to see the Equivalence. As a first thing, I tried: > > semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql > then > restorecon -R /var/lib/mysql > > > # semanage fcontext -lC > SELinux fcontext type > Context > > /home/users(/.*)? all files > system_u:object_r:user_home_dir_t:s0 > /var/lib/mysql all files > system_u:object_r:mysqld_db_t:s0 > /var/lib/mysql(/.*)? all files > system_u:object_r:mysqld_db_t:s0 > > SELinux Local fcontext Equivalence > > ./mysql = ./mysql.old > /var/lib/mysql = /var/lib/mysql.old > mysql = ./mysql.old > > > > > On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hogarth@xxxxxxxxx> > wrote: > > > On 23 October 2017 at 13:33, Bernard Fay <bernard.fay@xxxxxxxxx> wrote: > > > Hello, > > > > > > A server was configured in /var/lib/myslq in the root fs. I added a LV > > > specifically for mysql. I stopped myql and renamed /var/lib/mysql to > > > /var/lib/mysql.old. I created a new dir /var/lib/mysql and mounted the > > LV > > > on /var/lib/mysql. I then copied with "cp -prZ" all mysql files in > > > /var/lib/mysql.old to /var/lib/mysql. > > > > > > But then I got a selinux problem: > > > # ls -ldZ mysql.old/ mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ > > > > > > I tried to changed the context on mysql with the following commands: > > > > > > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?" > > > # restorecon -R -v /var/lib/mysql > > > > > > But the /var/lib/mysql directory didn't take the change as you can see > > > below: > > > # ls -ldZ mysql.old/ mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0 mysql > > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/ > > > > > > > > > How can I fix the wrong context on mysql directory? > > > Thanks, > > > > > > > /var/lib/mysql is already in default policy - no need to add anything > there > > > > can you please provide the output of 'semanage fcontext -lC' so that > > we can see any local selinux modifications made? > > > > From base policy with nothing added, for that directory, you *should* > > be able to just restorecon -Rv /var/lib/mysql and have the correct > > labelling. > > _______________________________________________ > > CentOS mailing list > > CentOS@xxxxxxxxxx > > https://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > > > The equivalence is what has broken things for you then. > > Remember that the source of Truth for labels don't follow the files > themselves. > > Looking at that it appears you told selinux that your local config should > have /var/lib/mysql match /var/lib/mysql.old ... note well the ordering > there. > > The system policy for the latter will inherit from /var/lib as mysql.old is > not a directory that is in the normal config. > > This "local config" making /var/lib/mysql in the policy match > /var/lib/mysql.old is now overriding the default system config ... which is > why restorecon is setting it to var_lib_t and not the mysql type. > > If you restorecon on /var/lib/mysql.old this will be evident. > > The fix is to semanage fcontext -d -e /var/lib/mysql to remove that > incorrect local equivalence overriding base policy and then to restorecon > -Rv /var/lib/mysql to put in place the correct labels. > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos