当 SELinux 强制执行时,如何在 MariaDB 中使用 tmpfs?

当 SELinux 强制执行时,如何在 MariaDB 中使用 tmpfs?

运行AlmaLinux 9.2和MariaDB 10.11。

尝试在 my.cnf 中使用:

tmpdir = /dev/shm

当 PHP-FPM 使用 TCP 端口连接时,这可以正常工作。

现在尝试使用 PHP-FPM 中更快的套接字 (/var/lib/mysql/mysql.sock)。

这并不是开箱即用的,但必须应用中提到的解决方法https://jira.mariadb.org/browse/MDEV-30520:

chcon -t mysqld_exec_t /usr/sbin/mariadbd

之后 MariaDB 将无法启动,因为它无法访问 /dev/shm。

然后允许使用 mysqld_tmpfs.te 策略访问 tmpfs 文件上下文https://mariadb.com/kb/en/selinux/#allowing-access-to-the-tmpfs-file-context:

module mysqld_tmpfs 1.0;

require {
    type tmpfs_t;
    type mysqld_t;
    class dir { write search read remove_name open getattr add_name };
    class file { write getattr read lock create unlink open };
}

allow mysqld_t tmpfs_t:dir { write search read remove_name open getattr add_name };

allow mysqld_t tmpfs_t:file { write getattr read lock create unlink open };

MariaDB 现在运行,但当它尝试使用以下命令创建临时文件时,会看到以下错误ausearch -c 'mariadbd' --raw

type=AVC msg=audit(1690215382.357:58492): avc:  denied  { map } for  pid=602807 comm="mariadbd" path="/dev/shm/#sql-temptable-932b7-22f-62.MAD" dev="tmpfs" ino=1183 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
type=SYSCALL msg=audit(1690215382.357:58492): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=7 a2=3 a3=4001 items=0 ppid=1 pid=602807 auid=4294967295 uid=986 gid=985 euid=986 suid=986 fsuid=986 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm="mariadbd" exe="/usr/sbin/mariadbd" subj=system_u:system_r:mysqld_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="mysql" GID="mysql" EUID="mysql" SUID="mysql" FSUID="mysql" EGID="mysql" SGID="mysql" FSGID="mysql"
type=PROCTITLE msg=audit(1690215382.357:58492): proctitle="/usr/sbin/mariadbd"

或以人类可读的形式:

SELinux is preventing /usr/sbin/mariadbd from map access on the file /dev/shm/#sql-temptable-932b7-22f-62.MAD.

*****  Plugin restorecon_source (92.2 confidence) suggests   *****************

If you want to fix the label. 
/usr/sbin/mariadbd default label should be bin_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /usr/sbin/mariadbd

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that mariadbd should be allowed map access on the #sql-temptable-932b7-22f-62.MAD file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mariadbd' --raw | audit2allow -M my-mariadbd
# semodule -X 300 -i my-mariadbd.pp

请指教。

相关内容