CentOS - Oct 2017 - Unable to apply mysqld_db_t to mysql directory

Interesting to see the Equivalence. As a first thing, I tried:

semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
then
restorecon -R /var/lib/mysql


# semanage fcontext -lC
SELinux fcontext                                   type
Context

/home/users(/.*)?                                  all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql                                     all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)?                               all files
system_u:object_r:mysqld_db_t:s0

SELinux Local fcontext Equivalence

./mysql = ./mysql.old
/var/lib/mysql = /var/lib/mysql.old
mysql = ./mysql.old




On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hogarth at
gmail.com>
wrote:
> On 23 October 2017 at 13:33, Bernard Fay <bernard.fay at gmail.com>
wrote:
> > Hello,
> >
> > A server was configured in /var/lib/myslq in the root fs.  I added a
LV
> > specifically for mysql.  I stopped myql and renamed /var/lib/mysql to
> > /var/lib/mysql.old.  I created a new dir /var/lib/mysql and mounted
the
> LV
> > on /var/lib/mysql.  I then copied with "cp -prZ" all mysql
files in
> > /var/lib/mysql.old to /var/lib/mysql.
> >
> > But then I got a selinux problem:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> > I tried to changed the context on mysql with the following commands:
> >
> > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
> > # restorecon -R -v /var/lib/mysql
> >
> > But the /var/lib/mysql directory didn't take the change as you can
see
> > below:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> >
> > How can I fix the wrong context on mysql directory?
> > Thanks,
> >
>
> /var/lib/mysql is already in default policy - no need to add anything there
>
> can you please provide the output of 'semanage fcontext -lC' so
that
> we can see any local selinux modifications made?
>
> From base policy with nothing added, for that directory, you *should*
> be able to just restorecon -Rv /var/lib/mysql and have the correct
> labelling.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard.fay at gmail.com>
wrote:

Interesting to see the Equivalence. As a first thing, I tried:

semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
then
restorecon -R /var/lib/mysql


# semanage fcontext -lC
SELinux fcontext                                   type
Context

/home/users(/.*)?                                  all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql                                     all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)?                               all files
system_u:object_r:mysqld_db_t:s0

SELinux Local fcontext Equivalence

./mysql = ./mysql.old
/var/lib/mysql = /var/lib/mysql.old
mysql = ./mysql.old




On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hogarth at
gmail.com>
wrote:
> On 23 October 2017 at 13:33, Bernard Fay <bernard.fay at gmail.com>
wrote:
> > Hello,
> >
> > A server was configured in /var/lib/myslq in the root fs.  I added a
LV
> > specifically for mysql.  I stopped myql and renamed /var/lib/mysql to
> > /var/lib/mysql.old.  I created a new dir /var/lib/mysql and mounted
the
> LV
> > on /var/lib/mysql.  I then copied with "cp -prZ" all mysql
files in
> > /var/lib/mysql.old to /var/lib/mysql.
> >
> > But then I got a selinux problem:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> > I tried to changed the context on mysql with the following commands:
> >
> > # semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?"
> > # restorecon -R -v /var/lib/mysql
> >
> > But the /var/lib/mysql directory didn't take the change as you can
see
> > below:
> > # ls -ldZ mysql.old/ mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql.old/
> >
> >
> > How can I fix the wrong context on mysql directory?
> > Thanks,
> >
>
> /var/lib/mysql is already in default policy - no need to add anything
there
>
> can you please provide the output of 'semanage fcontext -lC' so
that
> we can see any local selinux modifications made?
>
> From base policy with nothing added, for that directory, you *should*
> be able to just restorecon -Rv /var/lib/mysql and have the correct
> labelling.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos


The equivalence is what has broken things for you then.

Remember that the source of Truth for labels don't follow the files
themselves.

Looking at that it appears you told selinux that your local config should
have /var/lib/mysql match /var/lib/mysql.old ... note well the ordering
there.

The system policy for the latter will inherit from /var/lib as mysql.old is
not a directory that is in the normal config.

This "local config" making /var/lib/mysql in the policy match
/var/lib/mysql.old is now overriding the default system config ... which is
why restorecon is setting it to var_lib_t and not the mysql type.

If you restorecon on /var/lib/mysql.old this will be evident.

The fix is to semanage fcontext -d -e /var/lib/mysql to remove that
incorrect local equivalence overriding base policy and then to restorecon
-Rv /var/lib/mysql to put in place the correct labels.

Thanks, I managed to fix /var/lib/mysql

# ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql

To fix it, I tried:
semanage fcontext -d -e /var/lib/mysql
this command returned:
KeyError: /var/lib/mysql
I tried restorecon anyway:
restorecon -Rv /var/lib/mysql
But not better:
ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql

So I did the following:
semanage fcontext -d -t var_lib_t /var/lib/mysql
It started to look better:
ls -ldZ /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   /var/lib/mysql
Then I ran restorecon
restorecon -Rv /var/lib/mysql
I got a lot of :
restorecon reset /var/lib/mysql/...

And then I got the proper context on /var/lib/mysql.


I think there are still many things I do not understand about SELinux.

I thought the equivalence thing I did with the command below was going to
assign the context of /var/lib/mysql.old to /var/lib/mysql. Obviously not!
semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql


I still have the following equivalence:
# semanage fcontext -lC
SELinux fcontext                                   type
Context

/home/users(/.*)?                                  all files
system_u:object_r:user_home_dir_t:s0
/var/lib/mysql                                     all files
system_u:object_r:mysqld_db_t:s0
/var/lib/mysql(/.*)?                               all files
system_u:object_r:mysqld_db_t:s0

SELinux Local fcontext Equivalence

./mysql = ./mysql.old
mysql = ./mysql.old


Should I be worried about those two equivalence?


Thanks,
Bernard


On Mon, Oct 23, 2017 at 1:41 PM, James Hogarth <james.hogarth at
gmail.com>
wrote:
> On 23 Oct 2017 5:26 pm, "Bernard Fay" <bernard.fay at
gmail.com> wrote:
>
> Interesting to see the Equivalence. As a first thing, I tried:
>
> semanage fcontext -a -e /var/lib/mysql.old /var/lib/mysql
> then
> restorecon -R /var/lib/mysql
>
>
> # semanage fcontext -lC
> SELinux fcontext                                   type
> Context
>
> /home/users(/.*)?                                  all files
> system_u:object_r:user_home_dir_t:s0
> /var/lib/mysql                                     all files
> system_u:object_r:mysqld_db_t:s0
> /var/lib/mysql(/.*)?                               all files
> system_u:object_r:mysqld_db_t:s0
>
> SELinux Local fcontext Equivalence
>
> ./mysql = ./mysql.old
> /var/lib/mysql = /var/lib/mysql.old
> mysql = ./mysql.old
>
>
>
>
> On Mon, Oct 23, 2017 at 10:27 AM, James Hogarth <james.hogarth at
gmail.com>
> wrote:
>
> > On 23 October 2017 at 13:33, Bernard Fay <bernard.fay at
gmail.com> wrote:
> > > Hello,
> > >
> > > A server was configured in /var/lib/myslq in the root fs.  I
added a LV
> > > specifically for mysql.  I stopped myql and renamed
/var/lib/mysql to
> > > /var/lib/mysql.old.  I created a new dir /var/lib/mysql and
mounted the
> > LV
> > > on /var/lib/mysql.  I then copied with "cp -prZ" all
mysql files in
> > > /var/lib/mysql.old to /var/lib/mysql.
> > >
> > > But then I got a selinux problem:
> > > # ls -ldZ mysql.old/ mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0
mysql.old/
> > >
> > > I tried to changed the context on mysql with the following
commands:
> > >
> > > # semanage fcontext -a -t mysqld_db_t
"/var/lib/mysql(/.*)?"
> > > # restorecon -R -v /var/lib/mysql
> > >
> > > But the /var/lib/mysql directory didn't take the change as
you can see
> > > below:
> > > # ls -ldZ mysql.old/ mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:var_lib_t:s0   mysql
> > > drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0
mysql.old/
> > >
> > >
> > > How can I fix the wrong context on mysql directory?
> > > Thanks,
> > >
> >
> > /var/lib/mysql is already in default policy - no need to add anything
> there
> >
> > can you please provide the output of 'semanage fcontext -lC'
so that
> > we can see any local selinux modifications made?
> >
> > From base policy with nothing added, for that directory, you *should*
> > be able to just restorecon -Rv /var/lib/mysql and have the correct
> > labelling.
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
> The equivalence is what has broken things for you then.
>
> Remember that the source of Truth for labels don't follow the files
> themselves.
>
> Looking at that it appears you told selinux that your local config should
> have /var/lib/mysql match /var/lib/mysql.old ... note well the ordering
> there.
>
> The system policy for the latter will inherit from /var/lib as mysql.old is
> not a directory that is in the normal config.
>
> This "local config" making /var/lib/mysql in the policy match
> /var/lib/mysql.old is now overriding the default system config ... which is
> why restorecon is setting it to var_lib_t and not the mysql type.
>
> If you restorecon on /var/lib/mysql.old this will be evident.
>
> The fix is to semanage fcontext -d -e /var/lib/mysql to remove that
> incorrect local equivalence overriding base policy and then to restorecon
> -Rv /var/lib/mysql to put in place the correct labels.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>