1. Run ls -lZ /var/lib/mysql to view the SELinux context of the default database location for mysql:

   # ls -lZ /var/lib/mysqldrwx------. mysql mysql unconfined_u:object_r:mysqld_db_t:s0 mysql

   This shows mysqld_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
2. Enter mysqlshow -u root -p and enter the mysqld root password to show the available databases:

   # mysqlshow -u root -pEnter password: *******+--------------------+| Databases  |+--------------------+| information_schema || mysql  || test   || wikidb |+--------------------+

3. Shut down the mysqld daemon with service mysqld stop as the root user:

   # service mysqld stopStopping MySQL: [  OK  ]

4. Create a new directory for the new location of the database(s). In this example, /mysql is used:

   # mkdir -p /mysql

5. Copy the database files from the old location to the new location:

   # cp -R /var/lib/mysql/* /mysql/

6. Change the ownership of this location to allow access by the mysql user and group. This sets the traditional Unix permissions which SELinux will still observe.

   # chown -R mysql:mysql /mysql

7. Run ls -lZ /opt to see the initial context of the new directory:

   # ls -lZ /optdrwxr-xr-x. mysql mysql unconfined_u:object_r:usr_t:s0   mysql

   The context usr_t of this newly created directory is not currently suitable to SELinux as a location for MySQL database files. Once the context has been changed, MySQL will be able to function properly in this area.
8. Open the main MySQL configuration file /etc/my.cnf with a text editor and modify the datadir option so that it refers to the new location. In this example the value that should be entered is /mysql.

   [mysqld]datadir=/mysql

   Save this file and exit.
9. Run service mysqld start as the root user to start mysqld. The service should fail to start, and a denial will be logged to the /var/log/messages file. However, if the audit daemon is running and with him the setroubleshoot service, the denial will be logged to the /var/log/audit/audit.log file instead:

   SELinux is preventing /usr/libexec/mysqld "write" access on /mysql. For complete SELinux messages. run sealert -l b3f01aff-7fa6-4ebe-ad46-abaef6f8ad71

   The reason for this denial is that /mysql is not labeled correctly for MySQL data files. SELinux is stopping MySQL from having access to the content labeled as usr_t. Perform the following steps to resolve this problem:
10. Run the following semanage command to add a context mapping for /mysql. Note that semanage is not installed by default. If it missing on your system, install the policycoreutils-python package.

    semanage fcontext -a -t mysqld_db_t "/mysql(/.*)?"

11. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

    # grep -i mysql /etc/selinux/targeted/contexts/files/file_contexts.local/mysql(/.*)? system_u:object_r:mysqld_db_t:s0

12. Now use the restorecon command to apply this context mapping to the running system:

    restorecon -R -v /mysql

13. Now that the /mysql location has been labeled with the correct context for MySQL, the mysqld daemon starts:

    # service mysqld startStarting MySQL: [  OK  ]

14. Confirm the context has changed for /mysql:

    ls -lZ /optdrwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql

15. The location has been changed and labeled, and the mysqld daemon has started successfully. At this point all running services should be tested to confirm normal operation.

1. Run ls -lZ /var/lib/pgsql to view the SELinux context of the default database location for postgresql:

   # ls -lZ /var/lib/pgsqldrwx------. postgres postgres system_u:object_r:postgresql_db_t:s0 data

   This shows postgresql_db_t which is the default context element for the location of database files. This context will have to be manually applied to the new database location that will be used in this example in order for it to function properly.
2. Create a new directory for the new location of the database(s). In this example, /opt/postgresql/data is used. If you use a different location, replace the text in the following steps with your location:

   # mkdir -p /opt/postgresql/data

3. Perform a directory listing of the new location. Note that the initial context of the new directory is usr_t. This context is not sufficient for SELinux to offer its protection mechanisms to PostgreSQL. Once the context has been changed, it will be able to function properly in the new area.

   # ls -lZ /opt/postgresql/drwxr-xr-x. root root unconfined_u:object_r:usr_t:s0   data

4. Change the ownership of the new location to allow access by the postgres user and group. This sets the traditional Unix permissions which SELinux will still observe.

   # chown -R postgres:postgres /opt/postgresql

5. Open the PostgreSQL init file /etc/rc.d/init.d/postgresql with a text editor and modify the PGDATA and PGLOG variables to point to the new location:

   # vi /etc/rc.d/init.d/postgresqlPGDATA=/opt/postgresql/dataPGLOG=/opt/postgresql/data/pgstartup.log

   Save this file and exit the text editor.
6. Initialize the database in the new location.

   su - postgres -c "initdb -D /opt/postgresql/data"

7. Having changed the database location, starting the service will fail at this point:

   # service postgresql startStarting postgresql service: [FAILED]

   SELinux has caused the service to not start. This is because the new location is not properly labelled. The following steps explain how to label the new location (/opt/postgresql) and start the postgresql service properly:
8. Run the semanage command to add a context mapping for /opt/postgresql and any other directories/files within it:

   semanage fcontext -a -t postgresql_db_t "/opt/postgresql(/.*)?"

9. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

   # grep -i postgresql /etc/selinux/targeted/contexts/files/file_contexts.local/opt/postgresql(/.*)? system_u:object_r:postgresql_db_t:s0

10. Now use the restorecon command to apply this context mapping to the running system:

    restorecon -R -v /opt/postgresql

11. Now that the /opt/postgresql location has been labeled with the correct context for PostgreSQL, the postgresql service will start successfully:

    # service postgresql startStarting postgreSQL service: [  OK  ]

12. Confirm the context is correct for /opt/postgresql:

    ls -lZ /optdrwxr-xr-x. root root system_u:object_r:postgresql_db_t:s0 postgresql

13. Check with the ps command that the postgresql process displays the new location:

    # ps aux | grep -i postmasterpostgres 21564  0.3  0.3  42308  4032 ? S 10:13   0:00 /usr/bin/postmaster -p 5432 -D /opt/postgresql/data

14. The location has been changed and labeled, and the postgresql daemon has started successfully. At this point all running services should be tested to confirm normal operation.

Getting rsync to launch as rsync_t

1. Run getenforce to confirm SELinux is running in enforcing mode:

   $ getenforceEnforcing

   The getenforce command returns Enforcing when SELinux is running in enforcing mode.
2. Run the which command to confirm that the rsync binary is in the system path:

   $ which rsync/usr/bin/rsync

3. When running rsync as a daemon, a configuration file should be used and saved as /etc/rsyncd.conf. Note that the following configuration file used in this example is very simple and is not indicative of all the possible options that are available, rather it is just enough to demonstrate the rsync daemon:

   log file = /var/log/rsync.logpid file = /var/run/rsyncd.pidlock file = /var/run/rsync.lock[files] path = /srv/files comment = file area read only = falsetimeout = 300

4. Now that a simple configuration file exists for rsync to operate in daemon mode, this step demonstrates that simply running rsync --daemon is not sufficient for SELinux to offer its protection over rsync. Refer to the following output:

   # rsync --daemon# ps x | grep rsync 8231 ? Ss 0:00 rsync --daemon 8233 pts/3 S+ 0:00 grep rsync# ps -eZ | grep rsyncunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8231 ? 00:00:00 rsync

   Note that in the output from the final ps command, the context shows the rsync daemon running in the unconfined_t domain. This indicates that rsync has not transitioned to the rsync_t domain as it was launched by the rsync --daemon command. At this point SELinux can not enforce its rules and policy over this daemon. Refer to the following steps to see how to fix this problem. In the following steps, rsync will transition to the rsync_t domain by launching it from a properly-labeled init script. Only then can SELinux and its protection mechanisms have an effect over rsync. This rsync process should be killed before proceeding to the next step.
5. A custom init script for rsync is needed for this step. Save the following to /etc/rc.d/init.d/rsyncd.

   #!/bin/bash# Source function library.. /etc/rc.d/init.d/functions[ -f /usr/bin/rsync ] || exit 0case "$1" instart)action "Starting rsyncd: " /usr/bin/rsync --daemon;stop)action "Stopping rsyncd: " killall rsync;*)echo "Usage: rsyncd {start|stop}"exit 1esacexit 0

   The following steps show how to label this script as initrc_exec_t:
6. Run the semanage command to add a context mapping for /etc/rc.d/init.d/rsyncd:

   semanage fcontext -a -t initrc_exec_t "/etc/rc.d/init.d/rsyncd"

7. This mapping is written to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

   # grep rsync /etc/selinux/targeted/contexts/files/file_contexts.local/etc/rc.d/init.d/rsyncd system_u:object_r:initrc_exec_t:s0

8. Now use the restorecon command to apply this context mapping to the running system:

   restorecon -R -v /etc/rc.d/init.d/rsyncd

9. Run the ls -lZ command to confirm the script has been labeled appropriately. Note that in the following output the script has been labeled as initrc_exec_t:

    ls -lZ /etc/rc.d/init.d/rsyncd-rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/rsyncd

10. Launch rsyncd via the new script. Now that rsync has started from an init script that has been appropriately labeled, the process will start as rsync_t:

    # service rsyncd startStarting rsyncd:   [  OK  ]ps -eZ | grep rsyncunconfined_u:system_r:rsync_t:s0 9794 ? 00:00:00 rsync

    SELinux can now enforce its protection mechanisms over the rsync daemon as it is now runing in the rsync_t domain.

Running the rsync daemon on a non-default port

1. Modify the /etc/rsyncd.conf file and add the port = 10000 line at the top of the file in the global configuration area (ie., before any file areas are defined). The new configuration file will look like:

   log file = /var/log/rsyncd.logpid file = /var/run/rsyncd.pidlock file = /var/run/rsync.lockport = 10000[files] path = /srv/files comment = file area read only = falsetimeout = 300

2. After launching rsync from the init script with this new setting, a denial similar to the following is logged by SELinux:

   Jul 22 10:46:59 localhost setroubleshoot: SELinux is preventing the rsync (rsync_t) from binding to port 10000. For complete SELinux messages. run sealert -l c371ab34-639e-45ae-9e42-18855b5c2de8

3. Run the semanage command to add TCP port 10000 to SELinux policy in rsync_port_t:

   # semanage port -a -t rsync_port_t -p tcp 10000

4. Now that TCP port 10000 has been added to SELinux policy for rsync_port_t, rsyncd will start and operate normally on this port:

   # service rsyncd startStarting rsyncd:   [  OK  ]

   # netstat -lnp | grep 10000tcp 0  0 0.0.0.0:10000   0.0.0.0:*  LISTEN  9910/rsync

Running SpamAssassin on a non-default port

1. Run the semanage command to show the port that SELinux allows spamd to listen on by default:

   # semanage port -l | grep spamdspamd_port_ttcp783

   This output shows that TCP/783 is defined in spamd_port_t as the port for SpamAssassin to operate on.
2. Edit the /etc/sysconfig/spamassassin configuration file and modify it so that it will start SpamAssassin on the example port TCP/10000:

   # Options to spamdSPAMDOPTIONS="-d -p 10000 -c m5 -H"

   This line now specifies that SpamAssassin will operate on port 10000. The rest of this example will show how to modify SELinux policy to allow this socket to be opened.
3. Start SpamAssassin and an error message similar to the following will appear:

   # service spamassassin startStarting spamd: [2203] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:10000: Permission denied[2203] warn: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:10000: Permission denied[2203] error: spamd: could not create INET socket on 127.0.0.1:10000: Permission deniedspamd: could not create INET socket on 127.0.0.1:10000: Permission denied   [FAILED]

   This output means that SELinux has blocked access to this port.
4. A denial similar to the following will be logged by SELinux:

   SELinux is preventing the spamd (spamd_t) from binding to port 10000.

5. As the root user, run the semanage command to modify SELinux policy in order to allow SpamAssassin to operate on the example port (TCP/10000):

   semanage port -a -t spamd_port_t -p tcp 10000

6. Confirm that SpamAssassin will now start and is operating on TCP port 10000:

   # service spamassassin startStarting spamd:[ OK ]# netstat -lnp | grep 10000tcp00 127.0.0.1:100000.0.0.0:*LISTEN2224/spamd.pid

7. At this point, spamd is properly operating on TCP port 10000 as it has been allowed access to that port by SELinux policy.