关于selinux 的配置上的疑问

bandaoyu 2014-09-26 09:46:29

mysql 的原安装目录是 /var/lib/mysql

我把它拷贝迁移至 /app/dat/mysql ，并将原来的备份为 /var/lib/mysql_bak 然后建立链接 /var/lib/mysql 链接至 /app/dat/mysql

并且使用命令 chcon --reference /var/lib/mysql_bak /app -R 将mysql的安全上下文全部都给了新目录，

可是启动mysql的时候，仍然被selinux 拦截了，是denied {write} 是写被拦截了？

真是很奇怪，安全上下文已经全部和原来的/var/lib/mysql 一样了，为何还被拦截了？

...全文

631 6 打赏收藏转发到动态举报

写回复

用AI写文章

6 条回复

切换为时间正序

请发表友善的回复…

发表回复

小笨和漂向北方 2014-09-29

打赏
举报

as an IT person, I believe that nothing is impossible. But u should probably ask yourself, at what cost?

小笨和漂向北方 2014-09-29

打赏
举报

引用 4 楼 bandaoyu 的回复:

[quote=引用 3 楼 micropentium6 的回复:] I have told u to check audit.log, have u done that yet? What is ur discovery there? Solving selinux issue is always pain in the ass, if u can not provide detail, no one can offer u specific...

这个具体性的问题，我就不问你了。这样，你能否告诉我如何关掉selinux对某一个特定的程序的监视吗？比如我想让selinux对mysql的一切操作都放行，但是对其他的程序还是该怎么样就怎么样。如何实现。网上查找到的资料都是说用getsebool 命令找到 mysqld_disable_trans 策略，然后关掉，但是我用getsebool -a|grep mysql却仅仅找到了：mysql_connect_any 和 allow_user_mysql_connect 两个，只看到这两个。没有找到mysqld_disable_trans [/quote] no way. boolean value is not the only constraint that could affect selinux's behavior, there are also file attributes, policies, etc. There is no swtich saying simply disable selinux toward a particular process. That's why I told u that you should provide specific details... From IT management perspective, if I were in this situation, my first choice will be migrate this mysql instance to another server and then rebuild this one. I am not going to waste my time on figuring out some SELinux details if I don't have an expert in the team. Remember what I told you at the first place: a lot of senior admin simply disable selinux. U don't have to trust me, try ur question at chinaunix.net and see what those "expert" say. I am confident that you will get the similar replies...

bandaoyu 2014-09-29

打赏
举报

引用 3 楼 micropentium6 的回复:

I have told u to check audit.log, have u done that yet? What is ur discovery there? Solving selinux issue is always pain in the ass, if u can not provide detail, no one can offer u specific...

小笨和漂向北方 2014-09-26

打赏
举报

see, I told u! I am pretty confident if I say no, no one can say yes for this issue

you either dig into audit.log and make ur own policy override or move it back...

小笨和漂向北方 2014-09-26

打赏
举报

I have told u to check audit.log, have u done that yet? What is ur discovery there? Solving selinux issue is always pain in the ass, if u can not provide detail, no one can offer u specific...

bandaoyu 2014-09-26

打赏
举报

引用 1 楼 micropentium6 的回复:

see, I told u! I am pretty confident if I say no, no one can say yes for this issue you either dig into audit.log and make ur own policy override or move it back...

引用 1 楼 micropentium6 的回复:

see, I told u! I am pretty confident if I say no, no one can say yes for this issue you either dig into audit.log and make ur own policy override or move it back...

i don't know how to movie it out , i can‘t found the policy. could you help me? how should i to deal with this problem ?