I'm managing an amazon virtual machine, with 8G / partition, and a larger secondary storage device attached.  I enabled selinux, and I'm trying to make things work (and keep things secure) while migrating some things such as the ldap & mysql directories to the second device.

As far as I know, simply extending the / partition isn't an option (not LVM) ...  Conceivably I could just make a clone larger machine, but there are a lot of advantages to having the separate storage device... which can be LVM, and prevents the / filesystem from getting filled up, and can be detached/reattached to other machines, etc etc.  So I'm trying like heck to keep the second storage device separate.

Here's the problem:

I mount /data, and now I've got to move & preserve things like the /var/lib/mysql directory to a subdir of /data, while preserving selinux types and everything.  I started out by simply mimicking the / structure ...

                sudo mount /data

                sudo mkdir -p /data/var/lib

                sudo chown --reference=/ /data

                sudo chcon --reference=/ /data

                sudo chmod --reference=/ /data

                sudo chown --reference=/var /data/var

                sudo chcon --reference=/var /data/var

                sudo chmod --reference=/var /data/var

                sudo chown --reference=/var/lib /data/var/lib

                sudo chcon --reference=/var/lib /data/var/lib

                sudo chmod --reference=/var/lib /data/var/lib

                And finally

                cd /var/lib ; sudo tar cpf - --selinux mysql | (cd /data/var/lib ; sudo tar xpf - --selinux) ; cd -

I understand that chcon is not persistent...

And after all the above was done, I meticulously examined all the contexts of all those directories and confirmed they do match the original...

Unfortunately, as soon as I start mysqld, the context of /data/var/lib/mysql gets reset.  I don't know how or why that is happening, but I presume it's because I haven't set the fcontext.  So ...

I want to write a script that walks through the whole /var/lib/mysql directory, and creates matching fcontexts for /data/var/lib/mysql.  Better yet ... I would like to create fcontext applied to /data which is a complete replica of /

Here is where I'm getting stuck.  I can do "semanage fcontext -l" and I see all the information, but it's not in a format that's suitable to modify and feed back into semanage.  I can do "semanage -o -" but it only says "fcontext -D" which is not helpful.

I can't seem to find any combination of commands that will allow me to get all the fcontexts of / (or a relatively large subdir of /) and modify them with the /data prefix to feed back into semanage.

Help please?

Thanks...