在GBase 8a V8系列里,要求操作系统selinux必须处于关闭状态,而在V9系列,可以处于正常打开状态。
目录导航
V8版本
需要修改/etc/selinux/config,将其中SELINUX=enforcing改成SELINUX=disabled。
[gbase@rh6-1 gcware]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
之后建议reboot操作系统,并确认生效。
[gbase@rh6-1 gcware]$ getenforce
Disabled
[gbase@rh6-1 gcware]$
如果不想reboot系统,可以用如下命令临时关闭
[gbase@rh6-1 gcware]$ setenforce 0
setenforce: SELinux is disabled
[gbase@rh6-1 gcware]$ getenforce
V9版本
不在需要关闭selinux参数,可以正常运行。主要是其只使用dbaUser(一般是gbase)的资源。
服务启动正常
Last login: Wed Mar 3 12:24:48 CST 2021 on pts/0
[gbase@gbase_rh7_001 ~]$ getenforce
Enforcing
[gbase@gbase_rh7_001 ~]$ gcluster_services all start
Starting gcware : [ OK ]
Starting gcluster : [ OK ]
Starting gcrecover : [ OK ]
Starting gbase : [ OK ]
Starting syncserver : [ OK ]
Starting GCMonit success!
[gbase@gbase_rh7_001 ~]$ ps -efZ|grep gbase
system_u:system_r:avahi_t:s0 avahi 554 1 0 12:27 ? 00:00:00 avahi-daemon: running [gbaserh7001.local]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3296 3112 0 12:28 pts/0 00:00:00 su - gbase
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3297 3296 0 12:28 pts/0 00:00:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3555 1 12 12:28 ? 00:00:04 /opt/gbase/gcware/sbin/gcware
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3586 1 12 12:28 pts/0 00:00:04 /opt/gbase/gcluster/server/bin/gclusterd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3636 1 11 12:28 pts/0 00:00:03 /opt/gbase/gcluster/server/bin/gcrecover
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3684 1 4 12:28 pts/0 00:00:01 /opt/gbase/gnode/server/bin/gbased
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 4240 1 0 12:28 pts/0 00:00:00 /opt/gbase/gnode/server/bin/gc_sync_server
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 4292 1 1 12:28 pts/0 00:00:00 /opt/gbase/gcluster/server/bin/gcmonit --start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 4294 1 0 12:28 pts/0 00:00:00 /opt/gbase/gcluster/server/bin/gcmmonit --start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 5230 3297 0 12:29 pts/0 00:00:00 ps -efZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 5231 3297 0 12:29 pts/0 00:00:00 grep --color=auto gbase
[gbase@gbase_rh7_001 ~]$
查询是正常的
[gbase@gbase_rh7_001 ~]$ gccli
GBase client 9.5.2.36.125743. Copyright (c) 2004-2021, GBase. All Rights Reserved.
gbase> select count(*) from vc01.testdb.t1;
+----------+
| count(*) |
+----------+
| 2 |
+----------+
1 row in set (Elapsed: 00:00:00.11)
总结
处于安全加固要求,必须开启selinux的,请使用V9版本,并自行对gbase的几个进程做安全策略配置。默认只使用dbaUser(一般是gbase)的主目录和数据库安装目录下的资源。另外/dev/shm用于共享内存交换, /tmp用于临时文件(可配置)。