On 2007-04-21, Florin Andrei <florin(a)andrei.myip.org> wrote:
> # Add new labeling rule:
> /usr/sbin/semanage fcontext -a -t mysqld_db_t "/db/mysql(/.*)?"
Which files are modified by this command, and will the changes persist
after updates will be released (and applied) for the selinux RPMs?
The new rule is added to /etc/selinux/targeted/contexts/files/file_contexts.local
and will persist after upgrades of mysql/selinux.
I guess I should run semanage for /db/tmp as well?
I think you will get away with simply labelling /db/ as mysqld_db_t:
/usr/sbin/semanage fcontext -a -t mysqld_db_t "/db(/.*)?"
restorecon -R /db
# grep /db /etc/fstab
LABEL=/db /db ext3 defcontext=system_u:object_r:var_t:s0 1 2
That doesn't look right to me.. I think you should label it mysqld_db_t,
not var_t. mysqld_db_t should mean only mysql will have access to these
files and directories, while var_t is much more open. Lots of apps
probably have access to var_t.
But -- you should probably do either mount option, or "semanage fcontext".
No need to do both.