标签:disable ref eve setuid package hal prevent complete context
From: https://www.rootusers.com/how-to-fix-mariadb-10-0-29-selinux-update-failure/
安装mysql 10.0.29后,启动mysql失败:
[root@server centos]# systemctl status mysql â mysql.service - LSB: start and stop MySQL Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2017-01-14 10:17:09 UTC; 4s ago Docs: man:systemd-sysv-generator(8) Process: 14010 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS) Process: 14016 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=1/FAILURE) Jan 14 10:17:08 server systemd[1]: Starting LSB: start and stop MySQL... Jan 14 10:17:08 server mysql[14016]: Starting MySQL.170114 10:17:08 mysqld_safe Logging to ‘/var/lib/mysql/server.err‘. Jan 14 10:17:08 server mysql[14016]: 170114 10:17:08 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1) Jan 14 10:17:09 server mysql[14016]: ERROR! Jan 14 10:17:09 server systemd[1]: mysql.service: control process exited, code=exited status=1 Jan 14 10:17:09 server systemd[1]: Failed to start LSB: start and stop MySQL. Jan 14 10:17:09 server systemd[1]: Unit mysql.service entered failed state. Jan 14 10:17:09 server systemd[1]: mysql.service failed.
可以看到,myql服务状态是down。错误显示mysqld_safe_helper 试图更改UID/GID:
Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)
根据错误提示,执行 journalctl -xe命令:
[root@server mysql]# journalctl -xe Jan 14 10:21:38 server setroubleshoot[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability. For complete SELinux messages. run sealert -l 640a7d54-35ab-43b5-9267-db6f159e1449 Jan 14 10:21:38 server python[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mysqld_safe_helper should have the setgid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c ‘mysqld_safe_hel‘ --raw | audit2allow -M my-mysqldsafehel # semodule -i my-mysqldsafehel.pp
通过以上日志可以看出SELinux阻止了mysqld_safe_helper 的行为,因此mysql服务启动失败是因为SELinux的权限问题。
为了获取更多信息,执行以下命令:
[root@server mysql]# sealert -a /var/log/audit/audit.log SELinux is preventing /usr/bin/mysqld_safe_helper from using the setuid capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mysqld_safe_helper should have the setuid capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c ‘mysqld_safe_hel‘ --raw | audit2allow -M my-mysqldsafehel # semodule -i my-mysqldsafehel.pp Additional Information: Source Context system_u:system_r:mysqld_safe_t:s0 Target Context system_u:system_r:mysqld_safe_t:s0 Target Objects Unknown [ capability ] Source mysqld_safe_hel Source Path /usr/bin/mysqld_safe_helper Port Host Source RPM Packages MariaDB-server-10.0.29-1.el7.centos.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server Platform Linux server 3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2017-01-14 10:23:22 UTC Last Seen 2017-01-14 10:23:22 UTC Local ID f3462d4b-ed6b-4e94-9495-7ab0970c0af0 Raw Audit Messages type=AVC msg=audit(1484389402.769:6203): avc: denied { setuid } for pid=14718 comm="mysqld_safe_hel" capability=7 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability type=SYSCALL msg=audit(1484389402.769:6203): arch=x86_64 syscall=setuid success=no exit=EPERM a0=3e4 a1=3e4 a2=7f2c90e772e0 a3=7f2c90e772e0 items=0 ppid=14640 pid=14718 auid=4294967295 uid=0 gid=994 euid=0 suid=0 fsuid=0 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=mysqld_safe_hel exe=/usr/bin/mysqld_safe_helper subj=system_u:system_r:mysqld_safe_t:s0 key=(null) Hash: mysqld_safe_hel,mysqld_safe_t,mysqld_safe_t,capability,setuid
根据以上建议,执行建议中的命令创建本地策略:
ausearch -c ‘mysqld_safe_hel‘ --raw | audit2allow -M my-mysqldsafehel semodule -i my-mysqldsafehel.pp
再次启动mysql服务,仍然失败。查看错误信息,仍是关于SELinux的:
SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.
仍然按照以上步骤,执行建议命令。然后,再次重启mysql服务:
[root@server ~]# systemctl restart mysql [root@server ~]# systemctl status mysql.service -l â mysql.service - LSB: start and stop MySQL Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled) Active: active (running) since Sat 2017-01-14 10:24:03 UTC; 29min ago
当然我们可以通过执行以下命令,通过临时关闭SELinux,解决这个问题:
setenforce 0
但是如果想要永久解决该问题,并保证系统的安全,还是建议通过添加SELinux策略的方式解决启动服务失败的问题。
/usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1) (转)
标签:disable ref eve setuid package hal prevent complete context
原文地址:http://www.cnblogs.com/xiaoerlang/p/6668176.html
