xray-ui icon indicating copy to clipboard operation
xray-ui copied to clipboard
verified publisher icon qist

SELinux下的Permission Denied

Open muiyu opened this issue 1 year ago • 7 comments

Welcome

  • [X] Yes, I'm using the latest major release. Only such installations are supported.
  • [X] Yes, I'm using the supported system. Only such systems are supported.
  • [X] Yes, I have read all WIKI document,nothing can help me in my problem.
  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've included all information below (version, config, log, etc).

Description of the problem,screencshot would be good

在具有SELinux的系统中,开机自启会由于SELinux的严格策略无法正常启用,即在每次设备重启之后xray-ui无法正常工作,这在xray的内核日志中表现为/usr/local/xray-ui/xray-ui Permission Denied

这个问题可以通过restorecon命令,通过恢复xray-ui在SELinux严格策略下的上下文关系解决;但该解决方案带来的另一个问题是,部署在服务器上的nginx无法反向代理至UI面板(502 Bad Gateway),这同样是由于SELinux的严格执行策略造成的,因为当本人取消SELinux服务时,对于UI页面的反向代理恢复正常。

令一个解决方案是每次重启时,手动重新下载安装一遍该xray-ui脚本,不过这显然不是长久之策。

Version of xray-ui

Jul 05 07:13:46 XXX xray-ui[12381]: 2024/07/05 07:13:46 xray-ui 1.8.24

xray-ui log reports or xray log

Jul 05 07:11:02 XXX systemd[1]: Started xray-ui Service.
Jul 05 07:11:02 XXX systemd[1]: xray-ui.service: Main process exited, code=exited, status=203/EXEC
Jul 05 07:11:02 XXX systemd[1]: xray-ui.service: Failed with result 'exit-code'.
Jul 05 07:11:07 XXX systemd[1]: xray-ui.service: Service RestartSec=5s expired, scheduling restart.
Jul 05 07:11:07 XXX systemd[1]: xray-ui.service: Scheduled restart job, restart counter is at 1.
Jul 05 07:11:07 XXX systemd[1]: Stopped xray-ui Service.
Jul 05 07:11:07 XXX systemd[1]: Started xray-ui Service.
Jul 05 07:11:07 XXX systemd[1964]: xray-ui.service: Failed to execute command: Permission denied
Jul 05 07:11:07 XXX systemd[1964]: xray-ui.service: Failed at step EXEC spawning /usr/local/xray-ui/xray-ui: Permission denied

muiyu avatar Jul 05 '24 07:07 muiyu

本人使用的是Oracle Linux 9,所以SELinux的执行策略可能更为严格,因为目前没有看见其他类似的issue

muiyu avatar Jul 05 '24 07:07 muiyu

你先手动执行下

yum install -y policycoreutils-python-utils
# 添加SELinux上下文
DIRECTORY="/usr/local/xray-ui"
echo "Setting SELinux context for $DIRECTORY..."
semanage fcontext -a -t httpd_sys_rw_content_t  "${DIRECTORY}(/.*)?"

# 应用SELinux上下文
echo "Applying SELinux context to $DIRECTORY..."
restorecon -Rv ${DIRECTORY}
#获取端口
PORT_NUMBER=$(/usr/local/xray-ui/xray-ui setting -show | grep "登录端口" | awk -F': ' '{print $2}')
semanage port -a -t http_port_t -p tcp ${PORT_NUMBER}
# 检查当前允许的端口
semanage port -l | grep http_port_t

qist avatar Jul 06 '24 01:07 qist

你先手动执行下

yum install -y policycoreutils-python-utils
# 添加SELinux上下文
DIRECTORY="/usr/local/xray-ui"
echo "Setting SELinux context for $DIRECTORY..."
semanage fcontext -a -t httpd_sys_rw_content_t  "${DIRECTORY}(/.*)?"

# 应用SELinux上下文
echo "Applying SELinux context to $DIRECTORY..."
restorecon -Rv ${DIRECTORY}
#获取端口
PORT_NUMBER=$(/usr/local/xray-ui/xray-ui setting -show | grep "登录端口" | awk -F': ' '{print $2}')
semanage port -a -t http_port_t -p tcp ${PORT_NUMBER}
# 检查当前允许的端口
semanage port -l | grep http_port_t

使用了该方法,经过测试,xray-ui本身的标签不能为httpd_sys_rw_content_t,在本人的测试下只有当标签为bin_t时面板可以正常工作。而这种情况下,即使我已经添加了面板的运行端口至http_port_t组中时,同样无法使用nginx的反代服务,具体的阻止日志如下:

time->Sat Jul  6 12:09:58 2024
type=PROCTITLE msg=audit(1720267798.377:84): proctitle=6E67696E783A20776F726B65722070726F63657373
type=SYSCALL msg=audit(1720267798.377:84): arch=c000003e syscall=42 success=no exit=-115 a0=9 a1=5593325b3648 a2=10 a3=7fffa1f5c32c items=0 ppid=2376 pid=2380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1720267798.377:84): avc:  denied  { name_connect } for  pid=2380 comm="nginx" dest=42636 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

本人使用其他标签尝试了一下午,没有找到其他解决的办法,加之本人的服务器没有其他用途,因此暂时使用了SELinux的Permissive模式来同时运行面板和nginx反代功能。但对于有生产任务的服务器来说,这应该不是一个好的策略。

muiyu avatar Jul 06 '24 12:07 muiyu

另外这个问题会造成SELinux的setroubleshoot服务为了处理报错而大量占据服务器资源,至少今天下午我确实确认了我用于搭建服务的服务器最近频繁掉线的原因就是这个

muiyu avatar Jul 06 '24 12:07 muiyu

那你等等我这边先测试一下。

qist avatar Jul 06 '24 13:07 qist 

semanage fcontext -a -t bin_t '/usr/local/xray-ui(/.*)?'
restorecon -Rv '/usr/local/xray-ui'
PORT_NUMBER=$(/usr/local/xray-ui/xray-ui setting -show | grep "登录端口" | awk -F': ' '{print $2}')
# 修改端口类型
semanage port -a -t http_port_t -p tcp ${PORT_NUMBER}
#启用布尔值
setsebool -P httpd_can_network_connect 1
#生成本地策略模块
ausearch -c 'nginx' --raw | audit2allow -M my-nginx
semodule -X 300 -i my-nginx.pp

这边这样配置就可以了。rocky9 测试的。你那边测试配置好建议分享一下我写个md

qist avatar Jul 08 '24 03:07 qist

我晚些时候会尝试一下,如果无误会关闭这个issue的

muiyu avatar Jul 08 '24 07:07 muiyu