Edit

Share via

Get started with SQL Server on SELinux

This article helps you get started with SQL Server as a confined service on a Security-Enhanced Linux (SELinux) distribution based on Red Hat Enterprise Linux (RHEL).

What is Security-Enhanced Linux?

Security-Enhanced Linux (SELinux) is a security architecture for Linux systems. It helps define access controls for applications, processes, and files on a system. SELinux uses a set of rules, or security policies, to define what can or can't be accessed. SELinux provides administrators more control over who can access the system. For more information, see What is SELinux (Security-Enhanced Linux).

For details about how to enable SELinux for Red Hat systems, see SELinux Architecture. You can also get started with an SELinux-enabled operating system for free.

SQL Server 2022 on Linux is officially certified with RHEL 9 (as of July 2024), and is now generally available on the Red Hat Ecosystem Catalog.

SQL Server and SELinux

A confined service with SELinux means that it's restricted by security rules, explicitly defined in the SELinux policy. For SQL Server, the SELinux custom policies are defined in the mssql-server-selinux package.

Prerequisites

  1. Enable SELinux and set it to enforcing mode. Check the SELinux status by running the sestatus command.

    sestatus

    Here's the expected output.

    SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

  2. Install the mssql-server-selinux package that defines the required custom policies.

Note

If any of the prerequisites aren't met, SQL Server runs as an unconfined service.

Minimum RHEL minor version requirement

To run SQL Server as a confined application on RHEL 9, you must use a minimum RHEL minor version. This requirement exists because of point-release dependencies in SELinux packages. The mssql-server-selinux package, which you need to run SQL Server in confined mode, depends on the selinux-policy and selinux-policy-base packages.

Steps to identify minimum RHEL minor version

  1. Add the SQL Server repository that contains mssql-server-selinux.

    For SQL Server 2025 (17.x) on RHEL 9:

    sudo curl -o /etc/yum.repos.d/mssql-server.repo https://packages.microsoft.com/config/rhel/9/mssql-server-2025.repo

    For SQL Server 2022 (16.x) on RHEL 9:

    sudo curl -o /etc/yum.repos.d/mssql-server.repo https://packages.microsoft.com/config/rhel/9/mssql-server-2022.repo

    Note

    If you plan to install on RHEL 10, then change to the RHEL 10 repositories.

  2. Run the following command to view the SELinux policy dependencies:

    sudo dnf repoquery --requires --latest-limit=1 mssql-server-selinux | egrep '^selinux-policy(-base)?'

  3. The output includes the minimum SELinux policy version required, indicated by a suffix such as .el9_6. This suffix represents the minimum RHEL 9 minor release that the policy was built for. For example, .el9_6 corresponds to RHEL 9.6.

    If no such suffix appears in the output, refer to Red Hat documentation to determine the minimum RHEL minor version associated with that SELinux policy build. In the following example, the required SELinux base version is 38.1.53-5.

    sudo dnf repoquery --requires --latest-limit=1 mssql-server-selinux | egrep '^selinux-policy(-base)?'

    Here's example output:

    selinux-policy >= 38.1.53-5.el9_6
selinux-policy-base >= 38.1.53-5.el9_6

    In this example, the highest minor-version-tagged requirement is 38.1.53-5.el9_6. So, you need at least RHEL 9.6 to install SQL Server with SELinux (mssql-server-selinux), and run it as a confined application on RHEL 9.

Install SQL Server as a confined service

By default, the mssql-server package installs SQL Server without the SELinux policy, and SQL Server runs as an unconfined service. The mssql-server package installation automatically enables the selinux_execmode Boolean. You can verify that SQL Server is running unconfined using the following command:

ps -eZ | grep sqlservr

Here's the expected output.

system_u:system_r:unconfined_service_t:s0 48265 ? 00:00:02 sqlservr

When you install the mssql-server-selinux package, it enables a custom SELinux policy that confines the sqlservr process. When you install this policy, the selinuxuser_execmod Boolean is reset, and is replaced by a policy named mssql. This policy confines the sqlservr process in the new mssql_server_t domain.

ps -eZ | grep sqlservr

Here's the expected output.

system_u:system_r:mssql_server_t:s0 48941 ?      00:00:02 sqlservr

SQL Server and SELinux types

When you install the optional SELinux policy using the mssql-server-selinux package, it defines some new types:

SELinux policy Description
mssql_opt_t Install files of mssql-server to /opt/mssql
mssql_server_exec_t Executable files at /opt/mssql/bin/
mssql_paldumper_exec_t Executables and scripts that require special permissions to manage core dumps
mssql_conf_exec_t Management tool at /opt/mssql/bin/mssql-conf
mssql_var_t Label for files at /var/opt/mssql
mssql_db_t Label for the database files at /var/opt/mssql/data

Examples

The following example demonstrates changing the database location when SQL Server runs as a confined service.

  1. Create the desired directories and label them as mssql_db_t.

    sudo mkdir -p /opt/mydb/
sudo chown mssql:mssql /opt/mydb
sudo semanage fcontext -a -t mssql_db_t "/opt/mydb(/.*)?"
sudo restorecon -R -v /opt/mydb

    The command semanage fcontext manages the SELinux file context mapping. The -a parameter adds a new file context rule, and the -t parameter defines the SELinux type to apply, which in this case is mssql_db_t for SQL Server database files. Finally, the command specifies the path pattern, which is /opt/mydb in this example, and includes all the files and subdirectories within it.

  2. Set the default database location using mssql-conf, and run the setup.

    sudo /opt/mssql/bin/mssql-conf set filelocation.defaultdatadir /opt/mydb/data
sudo systemctl restart mssql-server

  3. Verify by creating a new database using Transact-SQL:

    CREATE DATABASE TestDatabase;
GO

  4. Verify the new database was created with the appropriate labels.

    sudo ls -lZ /opt/mydb/data/

    Here's the expected output.

    total 16384
-rw-rw----. 1 mssql mssql system_u:object_r:mssql_db_t:s0 8388608 Aug  2 14:27 TestDatabase_log.ldf
-rw-rw----. 1 mssql mssql system_u:object_r:mssql_db_t:s0 8388608 Aug  2 14:27 TestDatabase.mdf

    In the previous example, you can see the file has the mssql_db_t type associated with the new files created.

Related content

  • Last updated on