zoukankan      html  css  js  c++  java
  • /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1) (转)

    From: https://www.rootusers.com/how-to-fix-mariadb-10-0-29-selinux-update-failure/

    安装mysql 10.0.29后,启动mysql失败:

    [root@server centos]# systemctl status mysql
    â mysql.service - LSB: start and stop MySQL
       Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)
       Active: failed (Result: exit-code) since Sat 2017-01-14 10:17:09 UTC; 4s ago
         Docs: man:systemd-sysv-generator(8)
      Process: 14010 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS)
      Process: 14016 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=1/FAILURE)
    
    Jan 14 10:17:08 server systemd[1]: Starting LSB: start and stop MySQL...
    Jan 14 10:17:08 server mysql[14016]: Starting MySQL.170114 10:17:08 mysqld_safe Logging to '/var/lib/mysql/server.err'.
    Jan 14 10:17:08 server mysql[14016]: 170114 10:17:08 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
    Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)
    Jan 14 10:17:09 server mysql[14016]: ERROR!
    Jan 14 10:17:09 server systemd[1]: mysql.service: control process exited, code=exited status=1
    Jan 14 10:17:09 server systemd[1]: Failed to start LSB: start and stop MySQL.
    Jan 14 10:17:09 server systemd[1]: Unit mysql.service entered failed state.
    Jan 14 10:17:09 server systemd[1]: mysql.service failed.

    可以看到,myql服务状态是down。错误显示mysqld_safe_helper 试图更改UID/GID:

    Jan 14 10:17:08 server mysql[14016]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1)

    根据错误提示,执行 journalctl -xe命令:

    [root@server mysql]# journalctl -xe
    Jan 14 10:21:38 server setroubleshoot[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability. For complete SELinux messages. run sealert -l 640a7d54-35ab-43b5-9267-db6f159e1449
    Jan 14 10:21:38 server python[14484]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.
    
                            *****  Plugin catchall (100. confidence) suggests   **************************
    
                            If you believe that mysqld_safe_helper should have the setgid capability by default.
                            Then you should report this as a bug.
                            You can generate a local policy module to allow this access.
                            Do
                            allow this access for now by executing:
                            # ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
                            # semodule -i my-mysqldsafehel.pp

    通过以上日志可以看出SELinux阻止了mysqld_safe_helper 的行为,因此mysql服务启动失败是因为SELinux的权限问题。

    为了获取更多信息,执行以下命令:

    [root@server mysql]# sealert -a /var/log/audit/audit.log
    SELinux is preventing /usr/bin/mysqld_safe_helper from using the setuid capability.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that mysqld_safe_helper should have the setuid capability by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
    # semodule -i my-mysqldsafehel.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:mysqld_safe_t:s0
    Target Context                system_u:system_r:mysqld_safe_t:s0
    Target Objects                Unknown [ capability ]
    Source                        mysqld_safe_hel
    Source Path                   /usr/bin/mysqld_safe_helper
    Port                          
    Host                          
    Source RPM Packages           MariaDB-server-10.0.29-1.el7.centos.x86_64
    Target RPM Packages
    Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     server
    Platform                      Linux server
                                  3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6
                                  23:06:41 UTC 2016 x86_64 x86_64
    Alert Count                   3
    First Seen                    2017-01-14 10:23:22 UTC
    Last Seen                     2017-01-14 10:23:22 UTC
    Local ID                      f3462d4b-ed6b-4e94-9495-7ab0970c0af0
    
    Raw Audit Messages
    type=AVC msg=audit(1484389402.769:6203): avc:  denied  { setuid } for  pid=14718 comm="mysqld_safe_hel" capability=7  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability
    
    
    type=SYSCALL msg=audit(1484389402.769:6203): arch=x86_64 syscall=setuid success=no exit=EPERM a0=3e4 a1=3e4 a2=7f2c90e772e0 a3=7f2c90e772e0 items=0 ppid=14640 pid=14718 auid=4294967295 uid=0 gid=994 euid=0 suid=0 fsuid=0 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=mysqld_safe_hel exe=/usr/bin/mysqld_safe_helper subj=system_u:system_r:mysqld_safe_t:s0 key=(null)
    
    Hash: mysqld_safe_hel,mysqld_safe_t,mysqld_safe_t,capability,setuid

    根据以上建议,执行建议中的命令创建本地策略:

    ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel
    semodule -i my-mysqldsafehel.pp

    再次启动mysql服务,仍然失败。查看错误信息,仍是关于SELinux的:

    SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.

    仍然按照以上步骤,执行建议命令。然后,再次重启mysql服务:

    [root@server ~]# systemctl restart mysql
    [root@server ~]# systemctl status mysql.service -l
    â mysql.service - LSB: start and stop MySQL
       Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)
       Active: active (running) since Sat 2017-01-14 10:24:03 UTC; 29min ago

    当然我们可以通过执行以下命令,通过临时关闭SELinux,解决这个问题:

    setenforce 0

    但是如果想要永久解决该问题,并保证系统的安全,还是建议通过添加SELinux策略的方式解决启动服务失败的问题。

  • 相关阅读:
    linq.js
    ES6入门
    Visual Studio Code之常备快捷键
    JavaScript——数组
    谈程序员的出路
    优秀博文
    多媒体封装格式详解---MP4
    音视频文件分析工具
    offsetof(s,m)解析
    GCC 提供的原子操作
  • 原文地址:https://www.cnblogs.com/xiaoerlang/p/6668176.html
Copyright © 2011-2022 走看看