MySQL 8.0 参考手册  / 第 6 章 安全  / 6.7 SELinux  /  6.7.6 SELinux 故障排除

6.7.6 SELinux 故障排除

SELinux 故障排除通常包括将 SELinux 置于许可模式、重新运行有问题的操作、检查 SELinux 审计日志中的访问拒绝消息,以及在问题解决后将 SELinux 置于强制模式。

为避免使用setenforce 将整个系统置于许可模式 ,您可以使用semanage命令 将其 SELinux 域 ( mysqld_t) 置于许可模式 ,从而仅允许 MySQL 服务以许可模式运行:

semanage permissive -a mysqld_t

完成故障排除后,使用此命令将mysqld_t域重新置于强制模式:

semanage permissive -d mysqld_t

SELinux 将拒绝操作的日志写入 /var/log/audit/audit.log. 您可以通过搜索被拒绝消息来检查是否被拒绝。

grep "denied" /var/log/audit/audit.log

以下部分描述了一些可能会遇到 SELinux 相关问题的常见区域。

文件上下文

如果 MySQL 目录或文件的 SELinux 上下文不正确,访问可能会被拒绝。如果 MySQL 配置为读取或写入非默认目录或文件,则会发生此问题。例如,如果您将 MySQL 配置为使用非默认数据目录,则该目录可能没有预期的 SELinux 上下文。

尝试在具有无效 SELinux 上下文的非默认数据目录上启动 MySQL 服务会导致以下启动失败。

$> systemctl start mysql.service
Job for mysqld.service failed because the control process exited with error code.
See "systemctl status mysqld.service" and "journalctl -xe" for details.

在这种情况下,拒绝消息将记录到 /var/log/audit/audit.log

$> grep "denied" /var/log/audit/audit.log
type=AVC msg=audit(1587133719.786:194): avc:  denied  { write } for  pid=7133 comm="mysqld"
name="mysql" dev="dm-0" ino=51347078 scontext=system_u:system_r:mysqld_t:s0
tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=0

有关为 MySQL 目录和文件设置正确的 SELinux 上下文的信息,请参阅 第 6.7.4 节,“SELinux 文件上下文”

端口访问

SELinux 期望诸如 MySQL 服务器之类的服务使用特定的端口。更改端口而不更新 SELinux 策略可能会导致服务失败。

The mysqld_port_t port type defines the ports that the MySQL listens on. If you configure the MySQL Server to use a non-default port, such as port 3307, and do not update the policy to reflect the change, the MySQL service fails to start:

$> systemctl start mysqld.service
Job for mysqld.service failed because the control process exited with error code.
See "systemctl status mysqld.service" and "journalctl -xe" for details.

In this case, a denial message is logged to /var/log/audit/audit.log:

$> grep "denied" /var/log/audit/audit.log
type=AVC msg=audit(1587134375.845:198): avc:  denied  { name_bind } for  pid=7340
comm="mysqld" src=3307 scontext=system_u:system_r:mysqld_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

For information about setting the proper SELinux port context for MySQL, see Section 6.7.5, “SELinux TCP Port Context”. Similar port access issues can occur when enabling MySQL features that use ports that are not defined with the required context. For more information, see Section 6.7.5.2, “Setting the TCP Port Context for MySQL Features”.

Application Changes

SELinux may not be aware of application changes. For example, a new release, an application extension, or a new feature may access system resources in a way that is not permitted by SELinux, resulting in access denials. In such cases, you can use the audit2allow utility to create custom policies to permit access where it is required. The typical method for creating custom policies is to change the SELinux mode to permissive, identify access denial messages in the SELinux audit log, and use the audit2allow utility to create custom policies to permit access.

For information about using the audit2allow utility, refer to your distribution's SELinux documentation.

If you encounter access issues for MySQL that you believe should be handled by standard MySQL SELinux policy modules, please open a bug report in your distribution's bug tracking system.