MongoDB 的 SELinux 設置
我正在嘗試從 mongodb.org 儲存庫在 CentOS 7.2 上安裝 MongoDB。到目前為止一切都很好,但是主機已經為所有 MongoDB 數據文件創建了一個輔助磁碟 (/mongo)。這與 SELinux 權限衝突,導致 MongoDB 無法啟動。我已經開始執行了
setenforce 0,但這並不是我真正想要執行生產伺服器的方式。我有相當多的 Linux 經驗,但我所有的 SELinux 經驗只是將其關閉。我找到了這個 CentOS SELinux 教程,它讓我想到了執行
[user@machine lib]$ sudo chcon -Rv --type mongod_var_lib_t /mongo changing security context of ‘/mongo/mongod.lock’ changing security context of ‘/mongo/journal/WiredTigerLog.0000000001’ changing security context of ‘/mongo/journal/WiredTigerPreplog.0000000001’ changing security context of ‘/mongo/journal/WiredTigerPreplog.0000000002’ changing security context of ‘/mongo/journal’ changing security context of ‘/mongo/WiredTiger.lock’ changing security context of ‘/mongo/WiredTiger’ changing security context of ‘/mongo/WiredTiger.wt’ changing security context of ‘/mongo/WiredTiger.turtle’ changing security context of ‘/mongo/WiredTigerLAS.wt’ changing security context of ‘/mongo/sizeStorer.wt’ changing security context of ‘/mongo/_mdb_catalog.wt’ changing security context of ‘/mongo/storage.bson’ changing security context of ‘/mongo/collection-0-7567754672580995921.wt’ changing security context of ‘/mongo/index-1-7567754672580995921.wt’ changing security context of ‘/mongo/diagnostic.data/metrics.2016-04-14T06-51-54Z-00000’ changing security context of ‘/mongo/diagnostic.data/metrics.interim’ changing security context of ‘/mongo/diagnostic.data’ changing security context of ‘/mongo’ [user@machine lib]$ ls -Z /mongo -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 collection-0-7567754672580995921.wt drwxr-xr-x. mongod mongod system_u:object_r:mongod_var_lib_t:s0 diagnostic.data -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 index-1-7567754672580995921.wt drwxr-xr-x. mongod mongod system_u:object_r:mongod_var_lib_t:s0 journal -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 _mdb_catalog.wt -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 mongod.lock -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 sizeStorer.wt -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 storage.bson -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTigerLAS.wt -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger.lock -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger.turtle -rw-r--r--. mongod mongod system_u:object_r:mongod_var_lib_t:s0 WiredTiger.wt會解決這個問題。之後,我做了一個
touch /.autorelabel並重新啟動。不幸的是,這並沒有解決手頭的問題。我將如何解決這個問題?目前的錯誤是:
$$ user@machine lib $$$ systemctl status mongod ● mongod.service - SYSV:Mongo 是一個可擴展的、面向文件的數據庫。已載入:已載入 (/etc/rc.d/init.d/mongod) 活動:自 2016 年 4 月 14 日星期四 09:02:54 CEST 以來失敗(結果:退出程式碼);2s 前 文件:man:systemd-sysv-generator(8) 程序:2180 ExecStart=/etc/rc.d/init.d/mongod start (code=exited, status=1/FAILURE)
Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld systemd[1]: Starting SYSV: Mongo is a scalable, document-oriented database.... Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld runuser[2187]: pam_unix(runuser:session): session opened for user mongod by (uid=0) Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld runuser[2187]: pam_unix(runuser:session): session closed for user mongod Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld mongod[2180]: Starting mongod: [FAILED] Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld systemd[1]: mongod.service: control process exited, code=exited status=1 Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld systemd[1]: Failed to start SYSV: Mongo is a scalable, document-oriented database.. Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld systemd[1]: Unit mongod.service entered failed state. Apr 14 09:02:54 LMG-TA-MONGO01.boolhosting.tld systemd[1]: mongod.service failed.
如果您想以簡單的方式為 Mongo 配置 SELINUX - 在您的 /var/log/audit/audit.log 上嘗試audit2why以查看哪些違規行為會被拒絕,並使用audit2allow建構自定義策略。它適用於 80% 的事件。
如果您仍然有問題 - 執行 audit2why 並手動修復其他問題。也許我們可以幫助您完成這一步。
Running
sudo sealert -a /var/log/audit/audit.log在這裡提供了一些有用的見解和對 SELinux 配置更改的建議。(我們也更改了 dbPath 值mongod.conf。)