以 root 身份以模式 777 打开文件时权限被拒绝

以 root 身份以模式 777 打开文件时权限被拒绝

我正在尝试安装并运行 syslog-ng,但却被以下错误阻止了。

Error opening configuration file; filename='/etc/syslog-ng/syslog-ng.conf', error='Permission denied (13)'

我使用 sudo 运行此命令,文件和目录现在都具有 777 权限。我使用 strace 发现这肯定是一个因 EACCESS 而失败的开放调用。据我们所知,它不会更改为其他用户。

更新:根据要求:strace 输出

[edward.sargisson@apps-mgmt-fe1 syslog-ng]$ sudo strace -f -v -eopen /etc/init.d/syslog-ng start
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib64/libtermcap.so.2", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY)     = 3
open("/lib64/libc.so.6", O_RDONLY)      = 3
open("/dev/tty", O_RDWR|O_NONBLOCK)     = 3
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
open("/proc/meminfo", O_RDONLY)         = 3
open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3
open("/etc/init.d/syslog-ng", O_RDONLY) = 3
open("/etc/init.d/functions", O_RDONLY) = 3
Process 4802 attached (waiting for parent)
Process 4802 resumed (parent 4801 ready)
Process 4803 attached (waiting for parent)
Process 4803 resumed (parent 4802 ready)
Process 4802 suspended
[pid  4803] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  4803] open("/lib64/libc.so.6", O_RDONLY) = 3
Process 4802 resumed
Process 4803 detached
[pid  4802] --- SIGCHLD (Child exited) @ 0 (0) ---
Process 4802 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
open("/etc/profile.d/lang.sh", O_RDONLY) = 3
open("/etc/sysconfig/i18n", O_RDONLY)   = 3
open("/etc/sysconfig/init", O_RDONLY)   = 3
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No    such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/sysconfig/syslog-ng", O_RDONLY) = 3
Process 4804 attached (waiting for parent)
Process 4804 resumed (parent 4801 ready)
Process 4801 suspended
[pid  4804] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  4804] open("/lib64/libnsl.so.1", O_RDONLY) = 3
[pid  4804] open("/lib64/librt.so.1", O_RDONLY) = 3
[pid  4804] open("/lib64/libnet.so.1", O_RDONLY) = 3
[pid  4804] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid  4804] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid  4804] open("/lib64/libpthread.so.0", O_RDONLY) = 3
[pid  4804] open("/etc/eventlog.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  4804] open("/etc/localtime", O_RDONLY) = 3
[pid  4804] open("/etc/syslog-ng/syslog-ng.conf", O_RDONLY) = -1 EACCES (Permission denied)
Error opening configuration file; filename='/etc/syslog-ng/syslog-ng.conf', error='Permission denied (13)'
Process 4801 resumed
Process 4804 detached
--- SIGCHLD (Child exited) @ 0 (0) ---

作为测试,我们将 syslog-ng.conf 移到某个地方,然后将其复制回来 - 这样做虽然可以工作,但并没有什么帮助。如果我使用 chef 替换文件,那么 syslog-ng 将无法启动。

答案1

好的,这原来是 SELinux 相关的问题。仅供参考,/var/log/audit/audit.log可以检查以获取 SELinux 相关事件,auditd应启动以启用此日志。有两种可能的解决方案:禁用 SELinux(不推荐)或创建允许访问此文件的自定义 SELinux 策略。也许该文件没有与之关联的适当安全上下文,那么自定义策略就不需要了。

提问者补充道:使用ls -Z我现在可以看到文件具有 上下文user_u:object_r:tmp_t。我猜想 chef 从 chef 服务器复制文件并获取上下文tmp_t。但是,文件需要 默认上下文。Chef 有一个 selinux cookbook,它/etc似乎etc_t具有适当的功能来控制这一点。

相关内容