SELinux and mariadb (mysql)

I’ve just built a new mysql server vm, using the instructions I posted previously. This is documentation on how I configured it.

To get nfs to work, install nfs-utils.

$ yum install nfs-utils httpd mariadb mariadb-server

I’m putting the database on an nfs mount from my nas. Socket files can’t exist on nfs. It’s easier to move the data than the socket file (I think I hit an selinux issue with socket access).

Add the following to the /etc/my.cnf:

[mysqld]
# Move datadir to mysql-data
datadir=/var/lib/mysql-data
# Default socket
socket=/var/lib/mysql/mysql.sock
# Wasn't binding to an external ipv4 by default
bind-address=10.10.11.107

Make the mysql-data directory, and restrict it’s permissions:

$ mkdir -p        /var/lib/mysql-data
$ chown root:root /var/lib/mysql-data
$ chmod 0000      /var/lib/mysql-data

Now, mysql-data files will need to have the mysqld_db_t selinux context applied to them. Those don’t carry over nfs, so we can force a context in /etc/fstab:

nas:/hosts/sql/var/lib/mysql    /var/lib/mysql-data    nfs4    nosharecache,context="system_u:object_r:mysqld_db_t:s0"   0 0

Now, enable mariadb, and start the service:

$ systemctl enable mariadb
$ systemctl start  mariadb

If you’re having issues starting the service, you can check for any recent selinux denials.

$ ausearch -m avc | tail