I don't know why you can't get any good reference for this context type: mysqld_db_t
This is on RHEL website that exactly addressed the issue you have:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-MySQL-Configuration_Examples.html
感谢回复
首先说几句废话,我是做开发的,但是系统要在linux上运行,安装mysql,部署java web,但是公司里没有专门的linux管理员,所以只能我自己上。之所以遇到上面的问题,是因为我想在 mysql 创建表的时候指定数据文件的目录,但是mysql一直报错,说没有对那个目录的访问权限,而我已经把那个目录的所有者和所在组都给了 mysql,权限为777,并且指定了安全上下文 chcon -R -t mysqld_db_t /home/myusqldata。但是,还是说没有权限。
不晓得如何把 selinux 的 policy dump 出来,您提供的链接地址我这里打不开[/quote]
理解,很多公司都是这样,有弊有利吧
所以楼主的意思是说即使使用chcon也不能解决权限问题?那么可能问题就需要进一步诊断了
我把那篇英文文章拷贝在下面, 供楼主参考
另外,关于selinux,redhat的这篇tutorial写的挺好
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/SELinux_Guide/index.html
简单的说楼主可以试几个命令
1. sestatus
看是否selinux enable,如果disable,那么楼主可以不用考虑任何和chcon相关的东西了
2. sesearch -a -t mysqld_db_t /etc/selinux/..../...conf (具体位置取决于系统配置)
比如这是一个sample output
Found 99 av rules:
allow mysqld_t mysqld_db_t: file {ioctl read write create getattr setattr lock append unlink link rename}
allow mysqld mysqld_db_t: dir {ioctl read write create getattr setattr lock unlink link rename }
...
上面的rule是 allow src_type target_type class {permission}
mysqld 这个executable的src type是mysqld, 所以把某些dir设成target type=mysqldb_db_t 就可以match这些rule从而拥有合适的permission
3. selinux rule导致的失败通常可以在 /var/log/下找到相关记录, 楼主可以试下
以下是引用文章
Change MySQL data folder on SELinux
Posted on April 2, 2012 by phe1129
When installing MySQL on SELinux (Security Enhanced Linux), you may get the following errors in mysqld.log if you
changed the default data directory for mysql database even you granted all necessary privileges to the user mysql:
111206 1:46:00 [Warning] Can’t create test file /data/mysql/devmysql.lower-test
111206 1:46:00 [Warning] Can’t create test file /data/mysql/devmysql.lower-test
/usr/libexec/mysqld: Can’t change dir to ‘/data/mysql/’ (Errcode: 13)
111206 1:46:00 [ERROR] Aborting
This is because on SELinux such as CentOS 6, all processes and files are labeled in a way that represents
security-relevant information. This information is called the SELinux context. For files, this is viewed using the
ls -Z command:
$ ls -Z file1
-rw-rw-r– user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0).
This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user
and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules
deny access first.
So when we change the mysql datadir to a different folder, besides granting the access permission for the mysql
user, we also need to change the lable of the new folder.
First we need to know what it is the correct labeling using -Z command on the default data dir:
[root@xxx ~]# ls -lh -Zd /var/lib/mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql
Now change the label for the new location:
chcon -R -u system_u -r object_r -t mysqld_db_t /data/mysql
To verify the lable is changed:
ls -lh -Zd /data/mysql
drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /data/mysql
Note the mysql config file has a different lable, do not use that one for the data dir.
[root@xxx ~]# ls -lh -Z /etc/my.cnf
-rw-r–r–. root root system_u:object_r:mysqld_etc_t:s0 /etc/my.cnf
If binlog file is put in a different location (e.g. /mysql-log/mysql), we also need to change the label for the
root folder (/mysql-log) and the subfolder /mysql-log/mysql.
Now we can install the system tables:
mysql_install_db –datadir=/data/mysql –user=mysql