Active IQ Unified Manager 9.14

to Japanese version

SELinux requirements on NFS and CIFS shares

If you are planning to mount /opt/fujitsu or /opt/netapp/data on an NAS or SAN device, and you have SELinux enabled, you need to be aware of a few considerations.

If you are planning to mount /opt/fujitsu or /opt/netapp/data from anywhere other than the root file system, and you have SELinux enabled in your environment, you should set the correct context for the mounted directories. For the applicable scenario in your environment, follow these steps for setting and confirming the correct SELinux context.

Configuring the SELinux context when /opt/netapp/data is mounted

If you have mounted /opt/netapp/data in your system and SELinux is set to Enforcing, ensure that the SELinux context type for /opt/netapp/data is set to mysqld_db_t, which is the default context element for the location of the database files.

  1. Run this command to check the context:

    ls -dZ /opt/netapp/data

    A sample output:

    drwxr-xr-x. mysql root unconfined_u:object_r:default_t:s0 /opt/netapp/data
    In this output, the context is default_t. You should change this context to mysqld_db_t.
  2. Perform these steps to set the context based on how you have mounted /opt/netapp/data.

    1. Run the following commands to set the context to mysqld_db_t: semanage fcontext -a -t mysqld_db_t "/opt/netapp/data" restorecon -R -v /opt/netapp/data

    2. If you have configured /opt/netapp/data in /etc/fstab, you should edit the /etc/fstab file. For the /opt/netapp/data/ mount option, add the MySQL label as:

      context=system_u:object_r:mysqld_db_t:s0

    3. Unmount and remount /opt/netapp/data/ for enabling the context.

    4. If you have a direct NFS mount, run the following command to set the context to mysqld_db_t:

      mount <nfsshare>:/<mountpoint> /opt/netapp/data -o context=system_u:object_r:mysqld_db_t:s0

  3. Verify whether the context is set correctly:

    ls -dZ /opt/netapp/data/

    A sample output:

    drwxr-xr-x. mysql root unconfined_u:object_r:mysqld_db_t:s0 /opt/netapp/data/

Configuring the SELinux context when /opt/fujitsu is mounted, and /opt/netapp/data/ is also mounted separately

In this scenario, at first, you should set the context for /opt/netapp/data/ as described in the previous section. After setting the correct context for /opt/netapp/data/, ensure that the parent directory /opt/fujitsu does not have the SELinux context set to file_t.

Steps
  1. Run this command to check the context:

    ls -dZ /opt/fujitsu

    A sample output:

    drwxr-xr-x. mysql root unconfined_u:object_r:file_t:s0 /opt/fujitsu

    In this output, the context is file_t should be changed. The following commands set the context to usr_t. You can set the context to any value other than file_t based on your security requirements.

  2. Perform these steps to set the context, based on how you have mounted /opt/fujitsu.

    1. Run the following commands to set the context:

      semanage fcontext -a -t usr_t "/opt/fujitsu"
      restorecon -v /opt/fujitsu
    2. If you have configured /opt/fujitsu in /etc/fstab, you should edit the /etc/fstab file. For the /opt/fujitsu mount option, add the MySQL label as:

      context=system_u:object_r:usr_t:s0

    3. Unmount, and then again mount /opt/fujitsu for enabling the context.

    4. If you have a direct NFS mount, run the following command to set the context:

      mount <nfsshare>:/<mountpoint> /opt/fujitsu -o context=system_u:object_r:usr_t:s0

  3. Verify whether the context is set correctly:

    ls -dZ /opt/fujitsu

    A sample output

    drwxr-xr-x. mysql root unconfined_u:object_r:usr_t:s0 /opt/fujitsu

Configuring the SELinux context when /opt/fujitsu is mounted, and /opt/netapp/data/ is not mounted separately

If you have mounted /opt/fujitsu in your system and SELinux is set to Enforcing, ensure that the SELinux context type for /opt/fujitsu is set to mysqld_db_t, which is the default context element for the location of the database files.

Steps
  1. Run this command to check the context:

    ls -dZ /opt/fujitsu

    A sample output:

    drwxr-xr-x. mysql root unconfined_u:object_r:default_t:s0 /opt/fujitsu
    In this output, the context is default_t. You should change this context to mysqld_db_t.
  2. Perform the following steps to set the context based on how you have mounted /opt/fujitsu.

    1. Run the following commands to set the context to mysqld_db_t: semanage fcontext -a -t mysqld_db_t "/opt/fujitsu" restorecon -R -v /opt/fujitsu

    2. If you have configured /opt/fujitsu in /etc/fstab, edit the /etc/fstab file. For the /opt/netapp/ mount option, add the MySQL label as: context=system_u:object_r:mysqld_db_t:s0

    3. Unmount, and then again mount /opt/netapp/ for enabling the context.

    4. If you have a direct NFS mount, run the following command to set the context to mysqld_db_t: mount <nfsshare>:/<mountpoint> /opt/fujitsu -o context=system_u:object_r:mysqld_db_t:s0

  3. Verify whether the context is set correctly:

    ls -dZ /opt/netapp/

    A sample output:

    drwxr-xr-x. mysql root unconfined_u:object_r:mysqld_db_t:s0 /opt/netapp/

Top of Page