From: https://www.rootusers.com/how-to-fix-mariadb-10-0-29-selinux-update-failure/

安装mysql 10.0.29后,启动mysql失败:

[root@server centos]# systemctl status mysql

â mysql.service - LSB: start and stop MySQL

   Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)

   Active: failed (Result: exit-code) since Sat -- :: UTC; 4s ago

     Docs: man:systemd-sysv-generator()

  Process:  ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=/SUCCESS)

  Process:  ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=/FAILURE)

Jan  :: server systemd[]: Starting LSB: start and stop MySQL...

Jan  :: server mysql[]: Starting MySQL. :: mysqld_safe Logging to '/var/lib/mysql/server.err'.

Jan  :: server mysql[]:  :: mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

Jan  :: server mysql[]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: )

Jan  :: server mysql[]: ERROR!

Jan  :: server systemd[]: mysql.service: control process exited, code=exited status=

Jan  :: server systemd[]: Failed to start LSB: start and stop MySQL.

Jan  :: server systemd[]: Unit mysql.service entered failed state.

Jan  :: server systemd[]: mysql.service failed.

可以看到,myql服务状态是down。错误显示mysqld_safe_helper 试图更改UID/GID:

Jan  :: server mysql[]: /usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: )

根据错误提示,执行 journalctl -xe命令:

[root@server mysql]# journalctl -xe

Jan  :: server setroubleshoot[]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability. For complete SELinux messages. run sealert -l 640a7d54-35ab-43b5--db6f159e1449

Jan  :: server python[]: SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.

                        *****  Plugin catchall (. confidence) suggests   **************************

                        If you believe that mysqld_safe_helper should have the setgid capability by default.

                        Then you should report this as a bug.

                        You can generate a local policy module to allow this access.

                        Do

                        allow this access for now by executing:

                        # ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel

                        # semodule -i my-mysqldsafehel.pp

通过以上日志可以看出SELinux阻止了mysqld_safe_helper 的行为,因此mysql服务启动失败是因为SELinux的权限问题。

为了获取更多信息,执行以下命令:

[root@server mysql]# sealert -a /var/log/audit/audit.log

SELinux is preventing /usr/bin/mysqld_safe_helper from using the setuid capability.

*****  Plugin catchall (. confidence) suggests   **************************

If you believe that mysqld_safe_helper should have the setuid capability by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel

# semodule -i my-mysqldsafehel.pp

Additional Information:

Source Context                system_u:system_r:mysqld_safe_t:s0

Target Context                system_u:system_r:mysqld_safe_t:s0

Target Objects                Unknown [ capability ]

Source                        mysqld_safe_hel

Source Path                   /usr/bin/mysqld_safe_helper

Port

Host

Source RPM Packages           MariaDB-server-10.0.-.el7.centos.x86_64

Target RPM Packages

Policy RPM                    selinux-policy-3.13.-.el7_3..noarch

Selinux Enabled               True

Policy Type                   targeted

Enforcing Mode                Enforcing

Host Name                     server

Platform                      Linux server

                              3.10.-514.2..el7.x86_64 # SMP Tue Dec

                              :: UTC  x86_64 x86_64

Alert Count

First Seen                    -- :: UTC

Last Seen                     -- :: UTC

Local ID                      f3462d4b-ed6b-4e94--7ab0970c0af0

Raw Audit Messages

type=AVC msg=audit(1484389402.769:): avc:  denied  { setuid } for  pid= comm="mysqld_safe_hel" capability=  scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:system_r:mysqld_safe_t:s0 tclass=capability

type=SYSCALL msg=audit(1484389402.769:): arch=x86_64 syscall=setuid success=no exit=EPERM a0=3e4 a1=3e4 a2=7f2c90e772e0 a3=7f2c90e772e0 items= ppid= pid= auid= uid= gid= euid= suid= fsuid= egid= sgid= fsgid= tty=(none) ses= comm=mysqld_safe_hel exe=/usr/bin/mysqld_safe_helper subj=system_u:system_r:mysqld_safe_t:s0 key=(null)

Hash: mysqld_safe_hel,mysqld_safe_t,mysqld_safe_t,capability,setuid

根据以上建议,执行建议中的命令创建本地策略:

ausearch -c 'mysqld_safe_hel' --raw | audit2allow -M my-mysqldsafehel

semodule -i my-mysqldsafehel.pp

再次启动mysql服务,仍然失败。查看错误信息,仍是关于SELinux的:

SELinux is preventing /usr/bin/mysqld_safe_helper from using the setgid capability.

仍然按照以上步骤,执行建议命令。然后,再次重启mysql服务:

[root@server ~]# systemctl restart mysql

[root@server ~]# systemctl status mysql.service -l

â mysql.service - LSB: start and stop MySQL

   Loaded: loaded (/etc/rc.d/init.d/mysql; bad; vendor preset: disabled)

   Active: active (running) since Sat -- :: UTC; 29min ago

当然我们可以通过执行以下命令,通过临时关闭SELinux,解决这个问题:

setenforce

但是如果想要永久解决该问题,并保证系统的安全,还是建议通过添加SELinux策略的方式解决启动服务失败的问题。

/usr/bin/mysqld_safe_helper: Cannot change uid/gid (errno: 1) (转)的更多相关文章

  1. 安装Pod时提示ERROR: While executing gem ... (Errno::EPERM) Operation not permitted - /usr/bin/pod

    环境:OSX EI 10.11.1 昨天切换gem源后,招待pod安装没有任何问题,也可以正常用$ gem sources --add https://ruby.taobao.org/ --remov ...

  2. ERROR: While executing gem ... (Errno::EPERM) Operation not permitted - /usr/bin/pod

    因为突然要用到cocospod,突然发现在使用pod install的时候出现 -bash: pod: command not found 我去-不知道为什么,然后我就想重新安装下cocospod,在 ...

  3. sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set 的解决办法

    Linux新建用户 ,sudo报错: sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set 解决办法:重置一下s ...

  4. 解决普通用户sudo时出现/usr/bin/sudo must be owned by uid 0 and have the setuid bit set

    一:因为之前误操作使用sudo chmod -R 777 /usr命令修改了usr文件的所有者导致了此问题: 二:网上说需要进入recovery mode,经过自己的测试是不需要的: 三:步骤(只需登 ...

  5. sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

    使用root 登录,然后执行: chown root:root /usr/bin/sudo chmod 4755 /usr/bin/sudo reboot

  6. #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby

    #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby # This script installs to ...

  7. 解决Ubuntu sudo apt-get install遇到的E: Sub-process /usr/bin/dpkg returned an error code (1)问题

    如题,本人在安装samba等软件的时候,在命令行敲入: sudo apt-get install samba4命令的时候,系统在下载之后报错,大致内容如下: ~$ sudo apt-get insta ...

  8. 【问题】/usr/bin/env: php: 没有那个文件或目录

    php不是默认安装的,在使用symfony创建新项目时,出现这个提示. [root@localhost html]# symfony demo /usr/bin/env: php: 没有那个文件或目录 ...

  9. /usr/bin/expect介绍

    /usr/bin/expect介绍 http://blog.csdn.net/zhu_tianwei/article/details/44180637 概述 我们通过Shell可以实现简单的控制流功能 ...

随机推荐

  1. Fio IO性能测试

    fio-2.1.2-1.el5.rf.x86_64 介绍 fio different types of I/O engines (sync, mmap, libaio, posixaio, SG v3 ...

  2. hexo添加百度统计

    litten的主题yilia 编辑文件 themes/yilia/_config.yml,添加一行配置,可以删除原来的google analytics baidu_tongji: true 新建 th ...

  3. Fiddler简介以及web抓包

    Fiddler简介以及web抓包 版权声明:本文为博主原创文章,未经博主允许不得转载. 一.Fiddler简介简单来说,Fiddler是一个http协议调试代理工具,它能够记录并检查所有你的电脑和互联 ...

  4. codevs——3372 选学霸(背包)

    题目等级 : 大师 Master  时间限制: 1 s  空间限制: 128000 KB 题解       题目描述 Description 老师想从N名学生中选M人当学霸,但有K对人实力相当,如果实 ...

  5. ByteBuffer的介绍

    转摘 有一个问题需要明确:为什么要使用bytebuffer,它比byte比起来有什么优点? 很简单:为了提高IO的效率.怎样提高的,这个还得google一下. 记住几个标志的含义:position[0 ...

  6. POJ 2057 The Lost House [树状DP]

    题意:一只蜗牛将壳忘在了一棵树的某一个末结点(叶子)上.它想找回自己的壳,但忘记是丢在哪个结点上了,只好从树根开始网上爬,一个结点一个结点地找.在一些结点上居住着毛毛虫,它们会告诉蜗牛该结点以及它的子 ...

  7. 2016北京集训测试赛(十六)Problem B: river

    Solution 这题实际上并不是构造题, 而是一道网络流. 我们考虑题目要求的一条路径应该是什么样子的: 它是一个环, 并且满足每个点有且仅有一条出边, 一条入边, 同时这两条边的权值还必须不一样. ...

  8. Storyboards Tutorial 02

    内容中包含 base64string 图片造成字符过多,拒绝显示

  9. implement-stack-using-queues(easy,但也有思考价值)

    https://leetcode.com/problems/implement-stack-using-queues/ 还有种方法,就是利用同一个队列,知道队列长度前提下,把内容从头到尾,再向尾部依次 ...

  10. OllyDbg 使用笔记 (一)

    OllyDbg 使用笔记 (一) 參考 书:<加密与解密> 视频:小甲鱼 解密系列 视频 ollydbg下载地址:http://tools.pediy.com/debuggers.htm ...