Ubuntu 14.04 上的 Mysql 与 AppArmor 数据目录权限问题

Ubuntu 14.04 上的 Mysql 与 AppArmor 数据目录权限问题

从 Ubuntu 12.04 开始,我就一直使用不同位置的 MySQL 来存储数据库日期,没有遇到任何问题。我的配置如下:

  • /home/db/mysql 中的数据
  • 默认位置的链接sudo ln -s /home/db/mysql /var/lib/mysql
  • 添加/home/db/** rwk,/etc/apparmor.d/usr.sbin.mysqld

在 Ubuntu 14.04 之前它运行良好。我整天都在努力但似乎无法让它工作。

看起来 AppArmor 没有向 /home/db 文件夹上的 MySQL 提供所请求的权限,因为如果我这样做,chmod 777 -R /home/db它就可以工作。

否则,我会得到这个:

$ sudo service mysql start
start: Job failed to start

日志如下:

140420 22:42:56 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140420 22:42:56 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
140420 22:42:56 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
140420 22:42:56 InnoDB: The InnoDB memory heap is disabled
140420 22:42:56 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140420 22:42:56 InnoDB: Compressed tables use zlib 1.2.8
140420 22:42:56 InnoDB: Using Linux native AIO
140420 22:42:56 InnoDB: Initializing buffer pool, size = 128.0M
140420 22:42:56 InnoDB: Completed initialization of buffer pool
140420 22:42:56 InnoDB: highest supported file format is Barracuda.
140420 22:42:57  InnoDB: Waiting for the background threads to start
140420 22:42:58 InnoDB: 5.5.35 started; log sequence number 242217316
140420 22:42:58 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
140420 22:42:58 [Note]   - '127.0.0.1' resolves to '127.0.0.1';
140420 22:42:58 [Note] Server socket created on IP: '127.0.0.1'.
140420 22:42:58 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:42:58 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:42:58 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140420 22:42:58 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
140420 22:42:58 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
140420 22:42:58 InnoDB: The InnoDB memory heap is disabled
140420 22:42:58 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140420 22:42:58 InnoDB: Compressed tables use zlib 1.2.8
140420 22:42:58 InnoDB: Using Linux native AIO
140420 22:42:58 InnoDB: Initializing buffer pool, size = 128.0M
140420 22:42:58 InnoDB: Completed initialization of buffer pool
140420 22:42:59 InnoDB: highest supported file format is Barracuda.
140420 22:42:59  InnoDB: Waiting for the background threads to start
140420 22:43:00 InnoDB: 5.5.35 started; log sequence number 242217316
140420 22:43:00 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
140420 22:43:00 [Note]   - '127.0.0.1' resolves to '127.0.0.1';
140420 22:43:00 [Note] Server socket created on IP: '127.0.0.1'.
140420 22:43:00 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:43:00 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:43:01 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead.
140420 22:43:01 [Note] Plugin 'FEDERATED' is disabled.
/usr/sbin/mysqld: Can't find file: './mysql/plugin.frm' (errno: 13)
140420 22:43:01 [ERROR] Can't open the mysql.plugin table. Please run mysql_upgrade to create it.
140420 22:43:01 InnoDB: The InnoDB memory heap is disabled
140420 22:43:01 InnoDB: Mutexes and rw_locks use GCC atomic builtins
140420 22:43:01 InnoDB: Compressed tables use zlib 1.2.8
140420 22:43:01 InnoDB: Using Linux native AIO
140420 22:43:01 InnoDB: Initializing buffer pool, size = 128.0M
140420 22:43:01 InnoDB: Completed initialization of buffer pool
140420 22:43:01 InnoDB: highest supported file format is Barracuda.
140420 22:43:01  InnoDB: Waiting for the background threads to start
140420 22:43:02 InnoDB: 5.5.35 started; log sequence number 242217316
140420 22:43:02 [Note] Server hostname (bind-address): '127.0.0.1'; port: 3306
140420 22:43:02 [Note]   - '127.0.0.1' resolves to '127.0.0.1';
140420 22:43:02 [Note] Server socket created on IP: '127.0.0.1'.
140420 22:43:02 [ERROR] /usr/sbin/mysqld: Can't find file: './mysql/host.frm' (errno: 13)
140420 22:43:02 [ERROR] Fatal error: Can't open and lock privilege tables: Can't find file: './mysql/host.frm' (errno: 13)

答案1

这是权限问题,而不是 Apparmor 问题。

Apparmor 与 DAC 权限协同工作。

AppArmor 为 DAC 提供了额外的权限检查。除了 AppArmor 权限检查外,还会始终检查 DAC。因此,AppArmor 无法覆盖 DAC 来提供超出正常允许范围的访问权限。

http://wiki.apparmor.net/index.php/QuickProfileLanguage#How_AppArmor_file_permissions_differ_from_DAC

相关内容