南大通用GBase 8a对selinux的配置要求

在GBase 8a V8系列里,要求操作系统selinux必须处于关闭状态,而在V9系列,可以处于正常打开状态。

V8版本

需要修改/etc/selinux/config,将其中SELINUX=enforcing改成SELINUX=disabled。

[gbase@rh6-1 gcware]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

之后建议reboot操作系统,并确认生效。

[gbase@rh6-1 gcware]$ getenforce
Disabled
[gbase@rh6-1 gcware]$

如果不想reboot系统,可以用如下命令临时关闭

[gbase@rh6-1 gcware]$ setenforce 0
setenforce: SELinux is disabled
[gbase@rh6-1 gcware]$ getenforce

V9版本

不在需要关闭selinux参数,可以正常运行。主要是其只使用dbaUser(一般是gbase)的资源。

服务启动正常

Last login: Wed Mar  3 12:24:48 CST 2021 on pts/0
[gbase@gbase_rh7_001 ~]$ getenforce
Enforcing
[gbase@gbase_rh7_001 ~]$ gcluster_services all start
Starting gcware :                                          [  OK  ]
Starting gcluster :                                        [  OK  ]
Starting gcrecover :                                       [  OK  ]
Starting gbase :                                           [  OK  ]
Starting syncserver :                                      [  OK  ]
Starting GCMonit success!
[gbase@gbase_rh7_001 ~]$ ps -efZ|grep gbase
system_u:system_r:avahi_t:s0    avahi      554     1  0 12:27 ?        00:00:00 avahi-daemon: running [gbaserh7001.local]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3296 3112  0 12:28 pts/0 00:00:00 su - gbase
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3297 3296  0 12:28 pts/0 00:00:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3555 1 12 12:28 ? 00:00:04 /opt/gbase/gcware/sbin/gcware
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3586 1 12 12:28 pts/0 00:00:04 /opt/gbase/gcluster/server/bin/gclusterd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3636 1 11 12:28 pts/0 00:00:03 /opt/gbase/gcluster/server/bin/gcrecover
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 3684 1  4 12:28 pts/0 00:00:01 /opt/gbase/gnode/server/bin/gbased
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 4240 1  0 12:28 pts/0 00:00:00 /opt/gbase/gnode/server/bin/gc_sync_server
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 4292 1  1 12:28 pts/0 00:00:00 /opt/gbase/gcluster/server/bin/gcmonit --start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 4294 1  0 12:28 pts/0 00:00:00 /opt/gbase/gcluster/server/bin/gcmmonit --start
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 5230 3297  0 12:29 pts/0 00:00:00 ps -efZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gbase 5231 3297  0 12:29 pts/0 00:00:00 grep --color=auto gbase
[gbase@gbase_rh7_001 ~]$

查询是正常的

[gbase@gbase_rh7_001 ~]$ gccli

GBase client 9.5.2.36.125743. Copyright (c) 2004-2021, GBase.  All Rights Reserved.

gbase> select count(*) from vc01.testdb.t1;
+----------+
| count(*) |
+----------+
|        2 |
+----------+
1 row in set (Elapsed: 00:00:00.11)

总结

处于安全加固要求,必须开启selinux的,请使用V9版本,并自行对gbase的几个进程做安全策略配置。默认只使用dbaUser(一般是gbase)的主目录和数据库安装目录下的资源。另外/dev/shm用于共享内存交换, /tmp用于临时文件(可配置)。