以 root 用户身份以 777 模式打开文件时权限被拒绝

Sar*_*rge 6 permissions chef syslog-ng

我正在尝试安装和运行 syslog-ng,但由于以下错误而被阻止。

Error opening configuration file; filename='/etc/syslog-ng/syslog-ng.conf', error='Permission denied (13)'
Run Code Online (Sandbox Code Playgroud)

我用 sudo 运行它,文件和目录现在都有 777 权限。我使用过 strace,它绝对是一个公开调用,但 EACCESS 失败了。据我们所知,它不会更改为另一个用户。

更新:根据要求:strace 输出

[edward.sargisson@apps-mgmt-fe1 syslog-ng]$ sudo strace -f -v -eopen /etc/init.d/syslog-ng start
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib64/libtermcap.so.2", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY)     = 3
open("/lib64/libc.so.6", O_RDONLY)      = 3
open("/dev/tty", O_RDWR|O_NONBLOCK)     = 3
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
open("/proc/meminfo", O_RDONLY)         = 3
open("/usr/lib64/gconv/gconv-modules.cache", O_RDONLY) = 3
open("/etc/init.d/syslog-ng", O_RDONLY) = 3
open("/etc/init.d/functions", O_RDONLY) = 3
Process 4802 attached (waiting for parent)
Process 4802 resumed (parent 4801 ready)
Process 4803 attached (waiting for parent)
Process 4803 resumed (parent 4802 ready)
Process 4802 suspended
[pid  4803] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  4803] open("/lib64/libc.so.6", O_RDONLY) = 3
Process 4802 resumed
Process 4803 detached
[pid  4802] --- SIGCHLD (Child exited) @ 0 (0) ---
Process 4802 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
open("/etc/profile.d/lang.sh", O_RDONLY) = 3
open("/etc/sysconfig/i18n", O_RDONLY)   = 3
open("/etc/sysconfig/init", O_RDONLY)   = 3
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No    such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/initscripts.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/sysconfig/syslog-ng", O_RDONLY) = 3
Process 4804 attached (waiting for parent)
Process 4804 resumed (parent 4801 ready)
Process 4801 suspended
[pid  4804] open("/etc/ld.so.cache", O_RDONLY) = 3
[pid  4804] open("/lib64/libnsl.so.1", O_RDONLY) = 3
[pid  4804] open("/lib64/librt.so.1", O_RDONLY) = 3
[pid  4804] open("/lib64/libnet.so.1", O_RDONLY) = 3
[pid  4804] open("/lib64/libdl.so.2", O_RDONLY) = 3
[pid  4804] open("/lib64/libc.so.6", O_RDONLY) = 3
[pid  4804] open("/lib64/libpthread.so.0", O_RDONLY) = 3
[pid  4804] open("/etc/eventlog.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid  4804] open("/etc/localtime", O_RDONLY) = 3
[pid  4804] open("/etc/syslog-ng/syslog-ng.conf", O_RDONLY) = -1 EACCES (Permission denied)
Error opening configuration file; filename='/etc/syslog-ng/syslog-ng.conf', error='Permission denied (13)'
Process 4801 resumed
Process 4804 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
Run Code Online (Sandbox Code Playgroud)

作为测试,我们将 syslog-ng.conf 移到某处并将其复制回来 - 这使其工作但无济于事。如果我使用 Chef 来替换文件,那么 syslog-ng 将不会启动。

Ale*_*lex 4

好吧,结果证明这是一个与 SELinux 相关的问题。只是为了记录,/var/log/audit/audit.log可以检查得到SELinux相关的事件,auditd应该在启动时启用这个日志。有两种可能的解决方案:禁用 SELinux(不推荐)或创建允许访问此文件的自定义 SELinux 策略。也许该文件只是没有与之关联的适当的安全上下文,那么就不需要自定义策略。

发问者补充道:使用ls -Z我现在可以看到该文件具有user_u:object_r:tmp_t. 我的猜测是厨师从厨师服务器复制文件并获取上下文tmp_t。但是,该文件需要默认上下文/etcetc_t. Chef 有一本 selinux 食谱,它似乎具有控制此操作的适当功能。