Systemd 服务无法运行firewall-cmd

2024-6-20 • tag-icon

我最近在我的 Fedora-38 机器上设置了wireguard，并使用它启动它，systemctl start wg-quick@wg0到目前为止，它运行得很好。当我启动该服务时，我看到以下错误消息：

 wg-quick[943]: [#] firewall-cmd --add-service wireguard && firewall-cmd --add-masquerade
 wg-quick[979]: ERROR:dbus.proxies:Introspect error on :1.8:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
 wg-quick[979]: Error: Sender is not authorized to send message

这是wireguard 配置文件/etc/wireguard/wg0.conf：

[Interface]
Address    = 192.168.2.1/24, fd00:7::1/48
PrivateKey = ...
PostUp     = firewall-cmd --add-service wireguard && firewall-cmd --add-masquerade
PostDown   = firewall-cmd --remove-service wireguard && firewall-cmd --remove-masquerade
ListenPort = 51820

[Peer]
PublicKey    = ...
PresharedKey = ...
AllowedIPs   = 192.168.2.2/32, fd00:7::2/48

<more peers>

这是位于以下位置的服务文件：/usr/lib/systemd/system/[email protected]

[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

编辑：它与 SELinux 有关：将其设置为允许wireguard_t使用后semanage permissive -a wireguard_t，我在以下位置看到这些问题audit.log：

type=AVC msg=audit(1684943435.472:1978): avc: denied { search } for pid=27556 comm="firewall-cmd" name="pki" dev="dm-0" ino=8390592 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(1684943435.472:1979): avc: denied { read } for pid=27556 comm="firewall-cmd" name="openssl.cnf" dev="dm-0" ino=16812949 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1980): avc: denied { open } for pid=27556 comm="firewall-cmd" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=16812949 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1981): avc: denied { getattr } for pid=27556 comm="firewall-cmd" path="/etc/pki/tls/openssl.cnf" dev="dm-0" ino=16812949 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1982): avc: denied { read } for pid=27556 comm="firewall-cmd" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1684943435.472:1983): avc: denied { open } for pid=27556 comm="firewall-cmd" path="/sys/devices/system/cpu/possible" dev="sysfs" ino=42 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

相关内容