20.4 .1. MariaDB Changing Dat abase Locat ion
When using Red Hat Enterprise Linux, the default location for MariaDB to store its database is /var/l i b/mysq l /. This is where SELinux expects it to be by default, and hence this area is already labeled appropriately for you, using the mysq l d _d b_t type.
The location where the database is stored can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a MariaDB database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents.
Note that this is an example only and demonstrates how SELinux can affect MariaDB.
Comprehensive documentation of MariaDB is beyond the scope of this document. Refer to the official MariaDB documentation for further details. This example assumes that the mariadb-server and
setroubleshoot-server packages are installed, that the aud i td service is running, and that there is a
valid database in the default location of /var/l i b/mysq l /.
1. View the SELinux context of the default database location for mysq l:
~]# l s -l Z /var/l i b/mysq l
drwx---. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
This shows mysq l d _d b_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
2. Run the following command and enter the mysq l d root password to show the available databases:
~]# mysq l sho w -u ro o t -p Enter password: *******
+---+
| Databases | +---+
| information_schema |
| mysql |
| test |
| wikidb | +---+
3. Stop the mysq l d daemon:
~]# systemctl sto p mari ad b. servi ce
4. Create a new directory for the new location of the database(s). In this example, /mysq l / is used:
~]# mkd i r -p /mysq l
5. Copy the database files from the old location to the new location:
~]# cp -R /var/l i b/mysq l /* /mysq l /
6. Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe:
~]# cho wn -R mysq l : mysq l /mysq l
7. Run the following command to see the initial context of the new directory:
~]# l s -l Z /mysq l
drwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0 mysql The context usr_t of this newly created directory is not currently suitable to SELinux as a location for MariaDB database files. Once the context has been changed, MariaDB will be able to function properly in this area.
8. Open the main MariaDB configuration file /etc/my. cnf with a text editor and modify the d atad i r option so that it refers to the new location. In this example the value that should be entered is /mysq l:
[mysqld]
datadir=/mysql Save this file and exit.
9. Start mysq l d. The service should fail to start, and a denial message will be logged to the /var/l o g /messag es file:
~]# systemctl start mari ad b. servi ce
Job for mariadb.service failed. See 'systemctl status postgresql.service' and 'journalctl -xn' for details.
However, if the aud i t daemon is running and with him the setro ubl esho o t service, the denial will be logged to the /var/l o g /aud i t/aud i t. l o g file instead:
SELinux is preventing /usr/libexec/mysqld "write" access on /mysql.
For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71
The reason for this denial is that /mysq l / is not labeled correctly for MariaDB data files.
SELinux is stopping MariaDB from having access to the content labeled as usr_t. Perform the following steps to resolve this problem:
10. Run the following command to add a context mapping for /mysq l /. Note that the semanag e utility is not installed by default. If it missing on your system, install the policycoreutils-python package.
~]# semanag e fco ntext -a -t mysq l d _d b_t "/mysq l (/. *)?"
11. This mapping is written to the
/etc/sel i nux/targ eted /co ntexts/fi l es/fi l e_co ntexts. l o cal file:
~]# g rep -i mysq l
/etc/sel i nux/targ eted /co ntexts/fi l es/fi l e_co ntexts. l o cal /mysql(/.*)? system_u:object_r:mysqld_db_t:s0
12. Now use the resto reco n utility to apply this context mapping to the running system:
~]# resto reco n -R -v /mysq l
13. Now that the /mysq l / location has been labeled with the correct context for MariaDB, mysq l d starts:
~]# systemctl start mari ad b. servi ce 14. Confirm the context has changed for /mysq l /:
~]$ l s -l Z /mysq l
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
15. The location has been changed and labeled, and mysq l d has started successfully. At this point all running services should be tested to confirm normal operation.
[21] Refer to the MariaDB p ro ject p ag e fo r mo re info rmatio n.
Chapter 21. PostgreSQL
PostgreSQL is an Object-Relational database management system (DBMS).
In Red Hat Enterprise Linux, the postgresql-server package provides PostgreSQL. Run the following command to see if the postgresql-server package is installed:
~]# rpm -q po stg resq l -server
If it is not installed, use the yum utility as root to install it:
~]# yum i nstal l po stg resq l -server
21.1. Post greSQL and SELinux
When PostgreSQL is enabled, it runs confined by default. Confined processes run in their own
domains, and are separated from other confined processes. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited. The following example demonstrates the PostgreSQL processes running in their own domain. This example assumes the postgresql-server package is installed:
1. Run the g etenfo rce command to confirm SELinux is running in enforcing mode:
~]$ g etenfo rce Enforcing
The command returns Enfo rci ng when SELinux is running in enforcing mode.
2. Run the following command as the root user to start po stg resq l:
~]# systemctl start po stg resq l . servi ce
Confirm that the service is running. The output should include the information below (only the time stamp will differ):
~]# systemctl start po stg resq l . servi ce
postgresql.service - PostgreSQL database server
Loaded: loaded (/usr/lib/systemd/system/postgresql.service;
disabled)
Active: active (running) since Mon 2013-08-05 14:57:49 CEST; 12s 3. Run the following command to view the po stg resq l processes:
~]$ ps -eZ | g rep po stg res
system_u:system_r:postgresql_t:s0 395 ? 00:00:00 postmaster system_u:system_r:postgresql_t:s0 397 ? 00:00:00 postmaster system_u:system_r:postgresql_t:s0 399 ? 00:00:00 postmaster system_u:system_r:postgresql_t:s0 400 ? 00:00:00 postmaster system_u:system_r:postgresql_t:s0 401 ? 00:00:00 postmaster system_u:system_r:postgresql_t:s0 402 ? 00:00:00 postmaster
[22]
The SELinux context associated with the po stg resq l processes is
system_u: system_r: po stg resq l _t: s0. The second last part of the context,
po stg resq l _t, is the type. A type defines a domain for processes and a type for files. In this case, the po stg resq l processes are running in the po stg resq l _t domain.
21.2. T ypes
Type Enforcement is the main permission control used in SELinux targeted policy. All files and processes are labeled with a type: types define a domain for processes and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with po stg resq l. Different types allow you to configure flexible access. Note that in the list below are used several regular expression to match the whole possible locations:
po stg resq l _d b_t
This type is used for several locations. The locations labeled with this type are used for data files for PostgreSQL:
/usr/l i b/pg sq l /test/reg res /usr/share/jo nas/pg sq l /var/l i b/pg sq l /d ata /var/l i b/po stg res(q l )?
po stg resq l _etc_t
This type is used for configuration files in the /etc/po stg resq l / directory.
po stg resq l _exec_t
This type is used for several locations. The locations labeled with this type are used for binaries for PostgreSQL:
/usr/bi n/i ni td b(. sepg sq l )?
/usr/bi n/(se)?po stg res
/usr/l i b(6 4 )?/po stg resq l /bi n/. *
/usr/l i b(6 4 )?/pg sq l /test/reg ress/pg _reg ress systemd _uni t_fi l e_t
This type is used for the executable PostgreSQL-related files located in the /usr/l i b/systemd /system/ directory.
po stg resq l _l o g _t
This type is used for several locations. The locations labeled with this type are used for log files:
/var/l i b/pg sq l /l o g fi l e
/var/l i b/pg sq l /pg startup. l o g
/var/l i b/sepg sq l /pg startup. l o g /var/l o g /po stg resq l
/var/l o g /po stg res. l o g . * /var/l o g /rhd b/rhd b
/var/l o g /sepo stg resq l . l o g . * po stg resq l _var_run_t
This type is used for run-time files for PostgreSQL, such as the process id (PID) in the /var/run/po stg resq l / directory.
21.3. Booleans
SELinux is based on the least level of access required for a service to run. Services can be run in a variety of ways; therefore, you need to specify how you run your services. Use the following Booleans to set up SELinux:
sel i nuxuser_po stg resq l _co nnect_enabl ed
Having this Boolean enabled allows any user domain (as defined by PostgreSQL) to make connections to the database server.
Note
Due to the continuous development of the SELinux policy, the list above might not contain all Booleans related to the service at all times. To list them, run the following command:
~]$ g etsebo o l -a | g rep service_name
Run the following command to view description of a particular Boolean:
~]$ sepo l i cy bo o l eans -b boolean_name
Note that the additional policycoreutils-devel package providing the sepo l i cy utility is required.