selinux 导致“nexus.service:步骤 EXEC 生成 /opt/nexus/bin/nexus 失败:权限被拒绝” Fedora 26,nexus 3.06

tag-icon tag-icon selinux
selinux 导致“nexus.service:步骤 EXEC 生成 /opt/nexus/bin/nexus 失败:权限被拒绝” Fedora 26,nexus 3.06

安装最新版本的 nexus(当前为 3.6.0)后,我可以使用手动命令启动它

/opt/nexus/bin/nexus start

但是当尝试作为服务启动时(按照指示https://help.sonatype.com/display/NXRM3/Installation#Installation-RunningtheService),我得到以下信息:

Oct 04 13:47:53 localhost.localdomain sudo[2546]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/systemctl start nexus.service
Oct 04 13:47:53 localhost.localdomain audit[2546]: USER_CMD pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=73797374656D63746C207374617274206E657875732E7365
Oct 04 13:47:53 localhost.localdomain audit[2546]: CRED_REFR pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/
Oct 04 13:47:53 localhost.localdomain sudo[2546]: pam_systemd(sudo:session): Cannot create session: Already running in a session
Oct 04 13:47:53 localhost.localdomain audit[2546]: USER_START pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyini
Oct 04 13:47:53 localhost.localdomain sudo[2546]: pam_unix(sudo:session): session opened for user root by root(uid=0)
Oct 04 13:47:53 localhost.localdomain systemd[1]: Starting nexus service...
-- Subject: Unit nexus.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nexus.service has begun starting up.
Oct 04 13:47:53 localhost.localdomain systemd[2549]: nexus.service: Failed at step EXEC spawning /opt/nexus/bin/nexus: Permission denied
-- Subject: Process /opt/nexus/bin/nexus could not be executed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The process /opt/nexus/bin/nexus could not be executed and failed.
--
-- The error number returned by this process is 13.
Oct 04 13:47:53 localhost.localdomain audit[2549]: AVC avc:  denied  { execute } for  pid=2549 comm="(nexus)" name="nexus" dev="dm-0" ino=398592 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:adm
Oct 04 13:47:53 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nexus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=
Oct 04 13:47:53 localhost.localdomain systemd[1]: nexus.service: Control process exited, code=exited status=203
Oct 04 13:47:53 localhost.localdomain systemd[1]: Failed to start nexus service.
-- Subject: Unit nexus.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nexus.service has failed.
--
-- The result is failed.
Oct 04 13:47:53 localhost.localdomain systemd[1]: nexus.service: Unit entered failed state.
Oct 04 13:47:53 localhost.localdomain systemd[1]: nexus.service: Failed with result 'exit-code'.
Oct 04 13:47:53 localhost.localdomain sudo[2546]: pam_unix(sudo:session): session closed for user root
Oct 04 13:47:53 localhost.localdomain audit[2546]: USER_END pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit
Oct 04 13:47:53 localhost.localdomain audit[2546]: CRED_DISP pid=2546 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/
l

更新:我发现禁用 selinx,即setenforce 0允许管理服务,但我不想将此作为长期解决方案。

这里有几行来自/var/log/audit/audit.log

type=AVC msg=audit(1507473817.658:193): avc:  denied  { execute } for  pid=975 comm="(nexus)" name="nexus" dev="dm-0" ino=398592 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1507473817.660:194): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nexus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1507474250.245:195): avc:  denied  { execute } for  pid=1052 comm="(nexus)" name="nexus" dev="dm-0" ino=398592 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:unconfined_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1507474250.246:196): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=nexus comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

有人可以从这里提供帮助吗?

答案1

要纠正此问题,请添加 SELinux 策略以允许 Systemd 使用以下命令访问路径 /app/nexus/bin/nexus 中的 nexus 二进制文件。

sudo chcon -R -t bin_t /opt/nexus/bin/nexus

答案2

在这个问题上花了一些时间后,我必须提出一个答案。我遇到了与上面提到的相同的问题。我的操作系统是 RHEL 7.5,SELinux 设置为强制执行。 Nexus 版本是 3.13.0-01。

与 systemd 的连接服务由 Sonatype 定义。请参阅此处运行 systemd 服务的 Sonatype 说明:https://help.sonatype.com/repomanager3/installation/run-as-a-service

使用该页面中的 nexus.service 定义的服务启动,但最终超时并关闭。服务类型为分叉分叉类型会等待父进程退出一段时间,但此事件显然不会发生。我没有联系 Sonatype,但由于这个问题没有得到解决,我正在添加一个有效的解决方案。为了解决这个问题,我改变了类型分叉简单的在 nexus.service 文件中。

答案3

还要确保您拥有 nexus 用户拥有的 /opt/nexus

这是按以下方式工作的代码片段:/etc/systemd/system/nexus.service

[Unit]
Description=nexus service
After=network.target

[Service]
Type=simple
LimitNOFILE=65536
ExecStart=/opt/nexus-3.19.0-01/bin/nexus start
ExecStop=/opt/nexus-3.19.0-01/bin/nexus stop
User=nexus
Restart=on-abort

[Install]
WantedBy=multi-user.target

答案4

设置 nexus 目录的上下文(也许过度,但比禁用 SELinux 更好):https://linux.die.net/man/8/initrc_selinux

semanage fcontext -a -t initrc_t   "/opt/nexus(/.*)?"
semanage fcontext -a -t initrc_exec_t   "/opt/nexus(/.*)?"

# list
semanage fcontext --list | grep '/opt/nexus'
# apply changes 
restorecon -R -v /opt/nexus > /dev/null

相关内容