AppArmor 拒绝对 mysqld.cnf 进行更改

tag-icon tag-icon ubuntu mysql apparmor
AppArmor 拒绝对 mysqld.cnf 进行更改

我在激活 AppArmor 的 Ubuntu 16.04.3 LTS 实例上使用 MySQL 时遇到以下问题。

当将 MySQL 更改bind-address为 127.0.0.X 以外的任何值并重新启动 MySQL 时,就会出现此问题。如果我将设置改回来,MySQL 将再次完美重新启动。日志清楚地表明 AppArmor 已发现更改并且不会接受它,但是如何让 AppArmor 接受我的更改而不损害安全模型?

我尝试过从不同位置更改 cnf 文件,但无论哪种方式结果都相同。此特定日志输出来自更改/etc/mysql/mysql.conf.d/mysqld.cnf

重启后的控制台输出

root@MyServer:~# service mysql restart
Job for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details.

Journalctl 输出

root@MyServer:~# journalctl -xe
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mysql.service has finished shutting down.
Oct 23 19:34:20 MyServer systemd[1]: Starting MySQL Community Server...
-- Subject: Unit mysql.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mysql.service has begun starting up.
Oct 23 19:34:20 MyServer kernel: audit_printk_skb: 12 callbacks suppressed
Oct 23 19:34:20 MyServer kernel: audit: type=1400 audit(1508787260.641:135): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7278/status" pid=7278 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:20 MyServer audit[7278]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7278/status" pid=7278 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:20 MyServer audit[7278]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=7278 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
Oct 23 19:34:20 MyServer audit[7278]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7278/status" pid=7278 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:20 MyServer kernel: audit: type=1400 audit(1508787260.653:136): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=7278 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
Oct 23 19:34:20 MyServer kernel: audit: type=1400 audit(1508787260.653:137): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7278/status" pid=7278 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:22 MyServer systemd[1]: mysql.service: Main process exited, code=exited, status=1/FAILURE
Oct 23 19:34:46 MyServer kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ba:3f:d6:c5:XX:XX:f4:a7:39:d7:XX:XX:XX:XX SRC=XX.XX.XX.XX DST=XXX.XXX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=36512 PROTO=TCP SPT=46090 DPT=3128 WINDOW=1024 RES=0x00 SYN URGP=0 
Oct 23 19:34:46 MyServer kernel: IN=eth0 OUT= MAC=ba:3f:d6:c5:XX:XX:f4:a7:39:d7:XX:XX:XX:XX SRC=XX.XX.XX.XX DST=XXX.XXX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=36512 PROTO=TCP SPT=46090 DPT=3128 WINDOW=1024 RES=0x00 SYN URGP=0 
Oct 23 19:34:50 MyServer systemd[1]: Failed to start MySQL Community Server.
-- Subject: Unit mysql.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mysql.service has failed.
-- 
-- The result is failed.
Oct 23 19:34:50 MyServer systemd[1]: mysql.service: Unit entered failed state.
Oct 23 19:34:50 MyServer systemd[1]: mysql.service: Failed with result 'exit-code'.
Oct 23 19:34:51 MyServer systemd[1]: mysql.service: Service hold-off time over, scheduling restart.
Oct 23 19:34:51 MyServer systemd[1]: Stopped MySQL Community Server.
-- Subject: Unit mysql.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mysql.service has finished shutting down.
Oct 23 19:34:51 MyServer systemd[1]: Starting MySQL Community Server...
-- Subject: Unit mysql.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit mysql.service has begun starting up.
Oct 23 19:34:51 MyServer audit[7381]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7381/status" pid=7381 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:51 MyServer kernel: audit: type=1400 audit(1508787291.145:138): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7381/status" pid=7381 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:51 MyServer audit[7381]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=7381 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
Oct 23 19:34:51 MyServer audit[7381]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7381/status" pid=7381 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:51 MyServer kernel: audit: type=1400 audit(1508787291.149:139): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=7381 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
Oct 23 19:34:51 MyServer kernel: audit: type=1400 audit(1508787291.149:140): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/7381/status" pid=7381 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=113 ouid=113
Oct 23 19:34:53 MyServer systemd[1]: mysql.service: Main process exited, code=exited, status=1/FAILURE

相关内容