当 SELinux 被禁用时,我没有任何问题,但是当它被强制执行时,我就面临这个问题
[systemd] failed to get d-bus session: Failed to connect to socket /run/dbus/system_bus_socket: Permission denied
审计日志
sealert -a /var/log/audit/audit.log
100% done
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/zabbix_agentd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that zabbix_agentd should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zabbix_agentd' --raw | audit2allow -M my-zabbixagentd
# semodule -i my-zabbixagentd.pp
我按照上面的建议创建了一个策略,重新启动了 zabbix-agent,现在从 zabbix 代理日志获取
[systemd] failed to get d-bus session: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
sealert -a /var/log/audit/audit.log
39% donetype=AVC msg=audit(1534885076.573:250): avc: denied { connectto } for pid=10654 comm="zabbix_agentd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
**** Invalid AVC allowed in current policy ***
嗯,首先你必须确定你从 SELinux 得到的拒绝。最简单的(在我看来)方法是通过
sealert
实用程序。首先安装
setroubleshoot-server
软件包:然后运行:
你可能会得到很多输出,寻找你的具体拒绝,并遵循建议。但一定不要允许不应该允许的事情!
这是拒绝的示例,以及
sealert
(我的重点)建议的解决方法:上面的示例再次涉及 Postfix;查找您的拒绝,并插入本地策略。