Centos7 上 mysql unix 套接字的 SELinux 标记不正确

tag-icon tag-icon centos7 selinux
Centos7 上 mysql unix 套接字的 SELinux 标记不正确

操作系统:

# rpm -q centos-release
centos-release-7-9.2009.1.el7.centos.x86_64

我正在尝试让 zabbix-agent 访问 mysqld(使用mysqladmin ping),但是该过程失败并出现以下错误(在审计日志中):

type=AVC msg=audit(1690802455.685:134747): avc:  denied  { connectto } for  pid=18714 comm="mysqladmin" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=s
ystem_u:system_r:mysqld_t:s0 tclass=unix_stream_socket permissive=0
type=SYSCALL msg=audit(1690802455.685:134747): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffe8b63b500 a2=6e a3=7ffe8b63ade0 items=0 ppid=18635 pid=18714 auid=4294967295 uid=997 gid=
995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="mysqladmin" exe="/usr/bin/mysqladmin" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)

通过 audit2allow 运行此操作可以解决此问题,但会出现警告:


#============= zabbix_agent_t ==============

#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow zabbix_agent_t mysqld_t:unix_stream_socket connectto;

搜索预期的权限时,/var/lib/mysql/mysql.sock我看到以下内容:

/etc/selinux/targeted/contexts/files/file_contexts:/var/lib/mysql/mysql\.sock   -s      system_u:object_r:mysqld_var_run_t:s0

实际权限匹配:

srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 /var/lib/mysql/mysql.sock

查看流程上下文:

 # ps -eZf  |grep -E '^LABEL|mysqld|zabbix' |grep -v grep
LABEL                           UID        PID  PPID  C STIME TTY          TIME CMD
system_u:system_r:mysqld_safe_t:s0 mysql  6331     1  0 Feb04 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
system_u:system_r:mysqld_t:s0   mysql     6644  6331  1 Feb04 ?        2-05:50:59 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
system_u:system_r:zabbix_agent_t:s0 zabbix 18926   1  0 11:25 ?        00:00:00 /usr/sbin/zabbix_agentd -c /etc/zabbix/zabbix_agentd.conf
system_u:system_r:zabbix_agent_t:s0 zabbix 18927 18926  0 11:25 ?      00:00:00 /usr/sbin/zabbix_agentd: collector [idle 1 sec]
system_u:system_r:zabbix_agent_t:s0 zabbix 18928 18926  0 11:25 ?      00:00:00 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection]
system_u:system_r:zabbix_agent_t:s0 zabbix 18929 18926  0 11:25 ?      00:00:00 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection]
system_u:system_r:zabbix_agent_t:s0 zabbix 18930 18926  0 11:25 ?      00:00:00 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection]

接下来,当我尝试将创建的规则添加到策略中时,出现以下错误mysqld_t

zabbix_home.te:22:ERROR 'unknown type mysqld_t' at token ';' on line 22:                                                                                                                        
allow zabbix_agent_t mysqld_t:unix_stream_socket connectto;                                                                                                                                     
allow zabbix_agent_t mysqld_var_run_t:sock_file write;                                                                                                                                          
checkmodule:  error(s) encountered while parsing configuration                                                                                                                                  
checkmodule:  loading policy configuration from zabbix_home.te

我的问题是:

  • 为什么我的目标上下文是mysqld_t而不是mysqld_var_run_t
  • 我该如何解决?

相关内容