Managing Data Directory Permissions with SELinux and AppArmor
Managing MariaDB Data Directory Permissions with SELinux and AppArmor
Understanding the Problem
When you move MariaDB's data directory (usually /var/lib/mysql
or /var/lib/mariadb
), the MariaDB server process needs permission to read and write to the new location. SELinux and AppArmor enforce mandatory access control, meaning that even if the MariaDB user has file system permissions, these security modules can still block access.
Identifying Your Security Module
First, determine which security module your system uses:
SELinux: Run
getenforce
. If it returnsEnforcing
orPermissive
, SELinux is activeAppArmor: Run
apparmor_status
. If it shows loaded profiles, AppArmor is active
Configuring SELinux
If SELinux is active, follow these steps:
Identify the Current SELinux Context of the Data Directory:
The output will look something like this:
or
Apply the Correct SELinux Context:
Update MariaDB Configuration: Edit the MariaDB configuration file (usually
/etc/my.cnf
,/etc/mysql/my.cnf
, or/etc/my.cnf.d/server.cnf
):Restart MariaDB:
Troubleshooting SELinux
Check SELinux Logs:
ausearch -m avc -ts recent
to show denied operationsSet SELinux to Permissive (Testing Only):
setenforce 0
andsetenforce 1
to revert
Configuring AppArmor
Edit the AppArmor Profile:
Edit the profile and add new rules:
Reload the AppArmor Profile:
Update MariaDB Configuration:
Restart MariaDB:
Troubleshooting AppArmor
Check Logs: Use
dmesg | grep apparmor
or check/var/log/syslog
or/var/log/audit/audit.log
Complain Mode (Testing Only):
Last updated
Was this helpful?