How to Configure SELinux to Allow MySQL Connections for Secure Database Access


1 views

Many administrators face challenges when trying to run MySQL with SELinux enabled. While the common solution is to disable SELinux entirely, this compromises system security. The proper approach is to configure SELinux policies to allow MySQL operations while maintaining security.

First, verify if SELinux is enforcing policies:

sestatus

You'll see one of three states: enforcing, permissive, or disabled. For our purposes, we want it in enforcing mode.

MySQL typically uses port 3306. Check its current SELinux context:

semanage port -l | grep mysql

If MySQL's port isn't listed with the proper context, we need to add it.

There are several approaches to make MySQL work with SELinux:

Option 1: Set the Correct Port Context

semanage port -a -t mysqld_port_t -p tcp 3306

Option 2: Allow Network Connectivity

setsebool -P mysqld_connect_any on

Option 3: Modify File Contexts

If MySQL needs access to specific directories:

semanage fcontext -a -t mysqld_db_t "/path/to/directory(/.*)?"
restorecon -Rv /path/to/directory

Check SELinux denials in the audit log:

ausearch -m avc -c mysqld

Or generate human-readable reports:

sealert -a /var/log/audit/audit.log

To make changes persistent across reboots:

semanage export -o mysql_selinux_policy.pp
semodule -i mysql_selinux_policy.pp

After making changes, test MySQL connectivity and check for any remaining SELinux denials. The following command helps identify current boolean settings related to MySQL:

getsebool -a | grep mysql

Remember that proper SELinux configuration provides better security than simply disabling it. While it requires more initial setup, the long-term benefits for your system's security posture are significant.

When SELinux is enforcing, it applies security contexts to processes and files. MySQL typically runs under the mysqld_t domain, while network ports have their own contexts. The common permission issues occur when:

  • MySQL tries to access non-standard data directories
  • Clients attempt remote connections
  • MySQL uses non-default ports

First verify SELinux mode and MySQL context:

# Check SELinux operational mode
getenforce

# View mysqld security context
ps -eZ | grep mysqld
system_u:system_r:mysqld_t:s0 1234 ? 00:00:00 mysqld

These boolean values control key MySQL permissions:

# Allow MySQL to listen on all network ports
setsebool -P mysql_connect_any on

# Enable network connectivity
setsebool -P nis_enabled on

For custom MySQL ports, update SELinux port contexts:

# List current MySQL port assignments
semanage port -l | grep mysql

# Add custom port (e.g., 3307)
semanage port -a -t mysqld_port_t -p tcp 3307

When using non-standard data directories:

# Apply proper context to data directory
semanage fcontext -a -t mysqld_db_t "/custom/mysql/data(/.*)?"
restorecon -Rv /custom/mysql/data

If connections still fail, check audit logs and apply temporary permissive mode for diagnosis:

# View SELinux denials related to MySQL
ausearch -m avc -c mysqld

# Generate human-readable denial reports
sealert -a /var/log/audit/audit.log

For complex scenarios requiring custom policies:

# Generate custom policy module from audit logs
ausearch -m avc -c mysqld | audit2allow -M mysql_custom
semodule -i mysql_custom.pp