SELinux is preventing (v2ray) from execute access on the 文件 /usr/local/bin/dnscrypt-proxy

[y0umu]

这issue和别的软体也有关系，我觉得和v2ray关系最大所以放在这里了

1) 你正在使用哪个版本的 V2Ray？（如果服务器和客户端使用了不同版本，请注明） v2ray-core v3.20 linux-64 on Fedora 28 服务器总是最新版本(v3.21?)不过服务器与此问题无关。 2) 你的使用场景是什么？比如使用 Chrome 通过 Socks/VMess 代理观看 YouTube 视频。 Google 3) 你看到的不正常的现象是什么？（请描述具体现象，比如访问超时，TLS 证书错误等） 已经通过systemd启动v2ray了的话，试图通过systemd启动dnscrypt-proxy会看到如下SELinux警报，导致dnscrypt-proxy无法启动

SELinux is preventing (v2ray) from execute access on the 文件 /usr/local/bin/dnscrypt-proxy.

*****  插件 catchall (100. 置信度) 建议  ********************************************

If you believe that (v2ray) should be allowed execute access on the dnscrypt-proxy file by default.
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
allow this access for now by executing:
# ausearch -c '(v2ray)' --raw | audit2allow -M my-v2ray
# semodule -X 300 -i my-v2ray.pp

更多信息:
源环境 (Context)                 system_u:system_r:init_t:s0
目标环境                          unconfined_u:object_r:user_home_t:s0
目标对象                          /usr/local/bin/dnscrypt-proxy [ file ]
源                             (v2ray)
源路径                           (v2ray)
端口                            <未知>
主机                            localhost.localdomain
源 RPM 软件包                     
目标 RPM 软件包                    
策略 RPM                        selinux-policy-3.14.1-24.fc28.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Enforcing
主机名                           localhost.localdomain
平台                            Linux localhost.localdomain 4.16.6-302.fc28.x86_64
                              #1 SMP Wed May 2 00:07:06 UTC 2018 x86_64 x86_64
警报计数                          10
第一个                           2018-02-26 09:41:52 CST
最后一个                          2018-05-13 09:44:21 CST
本地 ID                         4c6e5db3-3bd8-4bcf-868b-62a02762fb70

原始核查信息
type=AVC msg=audit(1526175861.801:458): avc:  denied  { execute } for  pid=4147 comm="(pt-proxy)" name="dnscrypt-proxy" dev="sdb3" ino=529996 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Hash: (v2ray),init_t,user_home_t,file,execute

直接启动dnscrypt-proxy也会遭遇此警报，但似乎不如systemd启动那样能100%复现。

sudo /usr/local/bin/dnscrypt-proxy -config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml

4) 你期待看到的正确表现是怎样的？ 如果这个问题是v2ray的bug，望修复。如果这个问题是Fedora SELinux policy的bug（How to confirm?），我将把这个问题转交给bugzilla或者社区。

5) 请附上你的配置（提交 Issue 前请隐藏服务器端IP地址）。

v2ray 客户端部分

/etc/systemd/system/v2ray.service

[Unit]
Description=V2Ray Service
After=network.target
Wants=network.target

[Service]
PermissionsStartOnly=true
Type=simple
PIDFile=/var/run/v2ray.pid
ExecStart=/usr/local/bin/v2ray/v2ray --config /etc/v2ray/config.json
Restart=on-failure
User=xzc
Group=xzc

[Install]
WantedBy=multi-user.target

/etc/v2ray/config.json

太长了见后面

dnscrypt-proxy部分

/etc/systemd/system/dnscrypt-proxy.service

[Unit]
Description=Encrypted/authenticated DNS proxy
ConditionFileIsExecutable=/usr/local/bin/dnscrypt-proxy
After=network.target
Wants=network.target

[Service]
PermissionsStartOnly=true
Type=simple
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/usr/local/bin/dnscrypt-proxy -config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml
WorkingDirectory=/usr/local/bin
Restart=always
RestartSec=120
#EnvironmentFile=-/etc/sysconfig/dnscrypt-proxy
User=xzc
Group=xzc

[Install]
WantedBy=multi-user.target

/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy

太长了见后面

6) 请附上出错时软件输出的错误日志。在 Linux 中，日志通常在 /var/log/v2ray/error.log 文件中。

v2ray部分

客户端错误日志:

没有找到与此问题发生时的错误日志

dnscrypt-proxy部分

$ systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - Encrypted/authenticated DNS proxy
   Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; disabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Sun 2018-05-13 10:16:25 CST; 1min 56s ago
  Process: 5893 ExecStart=/usr/local/bin/dnscrypt-proxy -config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml (code=exited, status=203/EXEC)
 Main PID: 5893 (code=exited, status=203/EXEC)

10) 如果 V2Ray 服务运行不正常，请附上 journal 日志。 journalctl -u v2ray并没有返回什么有意义的东西

[y0umu]

/etc/v2ray/config.json

{
  "log": {
   "loglevel": "info",
   "access": "/var/log/v2ray/access.log",
   "error": "/var/log/v2ray/error.log"
  },
  "inbound": {
    "listen": "0.0.0.0",
    "port": 8080,
    "protocol": "http",
    "settings": {
      "timeout": 0,
      "allowTransparent": true
   }
  },
  "inboundDetour": [
    {
      "listen": "0.0.0.0",
      "port": 17900,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 17901,
      "tag": "socksIn_wantWsOut_hmb_us_cdn",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 8081,
      "tag": "httpIn_wantWsOut_hmb_us_cdn",
      "protocol": "http",
      "settings": {
        "timeout": 0,
        "allowTransparent": true
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 17903,
      "tag": "socksIn_wantWsOut_bwh_usca8_cdn",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 8083,
      "tag": "httpIn_wantWsOut_bwh_usca8_cdn",
      "protocol": "http",
      "settings": {
        "timeout": 0,
        "allowTransparent": true
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 8084,
      "tag": "httpIn_wantWsOut_bwh_usca8_direct",
      "protocol": "http",
      "settings": {
        "timeout": 0,
        "allowTransparent": true
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 17904,
      "tag": "socksIn_wantWsOut_bwh_usca8_direct",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 8085,
      "tag": "httpIn_wantWsOut_bwh_us_cdn",
      "protocol": "http",
      "settings": {
        "timeout": 0,
        "allowTransparent": true
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 17905,
      "tag": "socksIn_wantWsOut_bwh_us_cdn",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 8086,
      "tag": "httpIn_wantWsOut_bwh_us_direct",
      "protocol": "http",
      "settings": {
        "timeout": 0,
        "allowTransparent": true
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 17906,
      "tag": "socksIn_wantWsOut_bwh_us_direct",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 8082,
      "tag": "httpIn_wantWsOut_hmb_us_direct",
      "protocol": "http",
      "settings": {
        "timeout": 0,
        "allowTransparent": true
      }
    },
    {
      "listen": "0.0.0.0",
      "port": 17902,
      "tag": "socksIn_wantWsOut_hmb_us_direct",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "0.0.0.0"
      }
    }
  ],
  "outbound": {
    "protocol": "vmess",
    "settings": {
      "vnext": [
        {
          "address": "IP",
          "port": 5900,
          "users": [
            {
              "id":  "ID",
              "alterId": 64,
              "security": "aes-128-gcm"
            }
          ]
        },
        {
          "address": "IP",
          "port": 7800,
          "users": [
            {
              "id":  "ID",
              "alterId": 64,
              "security": "aes-128-gcm"
            }
          ]
        },
        {
          "address": "IP",
          "port": 7800,
          "users": [
            {
              "id":  "ID",
              "alterId": 64,
              "security": "aes-128-gcm"
            }
          ]
        }
      ]
    },
    "streamSettings": {
      "network": "kcp",
      "kcpSettings": {
        "mtu": 1350,
        "tti": 20,
        "uplinkCapacity": 5,
        "downlinkCapacity": 20,
        "congestion": false,
        "readBufferSize": 1,
        "writeBufferSize": 1,
        "header": {
          "type": "none"
        }
      }
    }
  },
    "mux": {
      "enabled": true
    },
  "outboundDetour": [
    {
      "protocol": "freedom",
      "settings": {},
      "tag": "direct"
    },
    {
      "protocol": "vmess",
      "tag": "wsOut_bwh_us_direct",
      "settings": {
        "vnext": [
          {
            "address": "DOMAIN",
            "port": 443,
            "users": [
              {
                "id":  "ID",
                "alterId": 64,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
      "network": "ws",
      "wsSettings": {
            "path": "/sdafsdjfanoinvono",
            "headers": {
                "User-Agent": "Chromium SDK 59.0"
            }
        },
        "security": "tls",
        "tlsSettings": {
            "serverName": "DOMAIN",
            "allowInsecure": false
        }
      }
    },
    {
      "protocol": "vmess",
      "tag": "wsOut_bwh_us_cdn",
      "settings": {
        "vnext": [
          {
            "address": "DOMAIN",
            "port": 443,
            "users": [
              {
                "id":  "ID",
                "alterId": 64,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
      "network": "ws",
      "wsSettings": {
            "path": "/sdafsdjfanoinvono",
            "headers": {
                "User-Agent": "Chromium SDK 59.0"
            }
        },
        "security": "tls",
        "tlsSettings": {
            "serverName": "DOMAIN",
            "allowInsecure": false
        }
      }
    },
    {
      "protocol": "vmess",
      "tag": "wsOut_hmb_us_direct",
      "settings": {
        "vnext": [
          {
            "address": "DOMAIN",
            "port": 443,
            "users": [
              {
                "id":  "ID",
                "alterId": 64,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
      "network": "ws",
      "wsSettings": {
            "path": "/sdafsdjfanoinvono",
            "headers": {
                "User-Agent": "Chromium SDK 59.0"
            }
        },
        "security": "tls",
        "tlsSettings": {
            "serverName": "DOMAIN",
            "allowInsecure": false
        }
      }
    },
    {
      "protocol": "vmess",
      "tag": "wsOut_bwh_usca8_cdn",
      "settings": {
        "vnext": [
          {
            "address": "DOMAIN",
            "port": 443,
            "users": [
              {
                "id":  "ID",
                "alterId": 64,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
      "network": "ws",
      "wsSettings": {
            "path": "/sdafsdjfanoinvono",
            "headers": {
                "User-Agent": "Chromium SDK 59.0"
            }
        },
        "security": "tls",
        "tlsSettings": {
            "serverName": "DOMAIN",
            "allowInsecure": false
        }
      }
    },
    {
      "protocol": "vmess",
      "tag": "wsOut_hmb_us_cdn",
      "settings": {
        "vnext": [
          {
            "address": "DOMAIN",
            "port": 443,
            "users": [
              {
                "id":  "ID",
                "alterId": 64,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
      "network": "ws",
      "wsSettings": {
            "path": "/sdafsdjfanoinvono",
            "headers": {
                "User-Agent": "Chromium SDK 59.0"
            }
        },
        "security": "tls",
        "tlsSettings": {
            "serverName": "DOMAIN",
            "allowInsecure": false
        }
      }
    },
    {
      "protocol": "vmess",
      "tag": "wsOut_bwh_usca8_direct",
      "settings": {
        "vnext": [
          {
            "address": "DOMAIN",
            "port": 443,
            "users": [
              {
                "id":  "ID",
                "alterId": 64,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
      "network": "ws",
      "wsSettings": {
            "path": "/sdafsdjfanoinvono",
            "headers": {
                "User-Agent": "Chromium SDK 59.0"
            }
        },
        "security": "tls",
        "tlsSettings": {
            "serverName": "DOMAIN",
            "allowInsecure": false
        }
      }
    }
  ],
  "dns": {
    "servers": [
      "8.8.8.8",
      "8.8.4.4"
    ]
  },
  "routing": {
    "strategy": "rules",
    "settings": {
      "domainStrategy": "IPIfNonMatch",
      "rules": [
        {
          "type": "field",
          "domain":[
            "onedrive.live.com"
          ],
          "outboundTag": "wsOut_hmb_us_direct"
        },
        {
          "type": "field",
          "domain" : [
             "some domains"
          ],
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "port": "1-52",
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "port": "54-79",
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "port": "81-442",
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "port": "444-2199",
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "port": "2201-5227",
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "port": "5229-65535",
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "domain": ["geosite:cn"],
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "ip": [
            "0.0.0.0/8",
            "10.0.0.0/8",
            "100.64.0.0/10",
            "127.0.0.0/8",
            "169.254.0.0/16",
            "172.16.0.0/12",
            "192.0.0.0/24",
            "192.0.2.0/24",
            "192.168.0.0/16",
            "198.18.0.0/15",
            "198.51.100.0/24",
            "203.0.113.0/24",
            "::1/128",
            "fc00::/7",
            "fe80::/10",
            "geoip:cn"
          ],
          "outboundTag": "direct"
        },
        {
          "type": "field",
          "inboundTag": ["socksIn_wantWsOut_hmb_us_cdn", "httpIn_wantWsOut_hmb_us_cdn"],
          "outboundTag": "wsOut_hmb_us_cdn"
        },
        {
          "type": "field",
          "inboundTag": ["socksIn_wantWsOut_bwh_usca8_cdn", "httpIn_wantWsOut_bwh_usca8_cdn"],
          "outboundTag": "wsOut_bwh_usca8_cdn"
        },
        {
          "type": "field",
          "inboundTag": ["httpIn_wantWsOut_bwh_us_cdn", "socksIn_wantWsOut_bwh_us_cdn"],
          "outboundTag": "wsOut_bwh_us_cdn"
        },
        {
          "type": "field",
          "inboundTag": ["httpIn_wantWsOut_bwh_usca8_direct", "socksIn_wantWsOut_bwh_usca8_direct"],
          "outboundTag": "wsOut_bwh_usca8_direct"
        },
        {
          "type": "field",
          "inboundTag": ["httpIn_wantWsOut_bwh_us_direct", "socksIn_wantWsOut_bwh_us_direct"],
          "outboundTag": "wsOut_bwh_us_direct"
        },
        {
          "type": "field",
          "inboundTag": ["httpIn_wantWsOut_hmb_us_direct", "socksIn_wantWsOut_hmb_us_direct"],
          "outboundTag": "wsOut_hmb_us_direct"
        }
      ]
    }
  },
  "transport" : {}
}

[y0umu]

/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml

##############################################
#                                            #
#        dnscrypt-proxy configuration        #
#                                            #
##############################################

## You should adjust it to your needs, and save it as "dnscrypt-proxy.toml"
##
## Online documentation is available here: https://dnscrypt.info/doc

##################################
#         Global settings        #
##################################

## List of servers to use
##
## Servers from the "public-resolvers" source (see down below) can
## be viewed here: https://dnscrypt.info/public-servers
##
## If this line is commented, all registered servers matching the require_* filters
## will be used.
##
## The proxy will automatically pick the fastest, working servers from the list.
## Remove the leading # first to enable this; lines starting with # are ignored.

server_names = ['cloudflare', 'cloudflare-ipv6' , 'google']

## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
## Note: When using systemd socket activation, choose an empty set (i.e. [] ).

listen_addresses = ['127.0.0.1:53', '[::1]:53']

## Maximum number of simultaneous client connections to accept

max_clients = 250

## Require servers (from static + remote sources) to satisfy specific properties

# Use servers reachable over IPv4
ipv4_servers = true

# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity
ipv6_servers = true

# Use servers implementing the DNSCrypt protocol
dnscrypt_servers = true

# Use servers implementing the DNS-over-HTTPS protocol
doh_servers = true

## Require servers defined by remote sources to satisfy specific properties

# Server must support DNS security extensions (DNSSEC)
require_dnssec = false

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blacklist (for parental control, ads blocking...)
require_nofilter = true

## Always use TCP to connect to upstream servers.
## This can be can be useful if you need to route everything through Tor.
## Otherwise, leave this to `false`, as it doesn't improve security
## (dnscrypt-proxy will always encrypt everything even using UDP), and can
## only increase latency.

force_tcp = false

## How long a DNS query will wait for a response, in milliseconds

timeout = 2500

## Keepalive for HTTP (HTTPS, HTTP/2) queries, in seconds

keepalive = 30

## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'

lb_strategy = 'p2'

## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors)

log_level = 0

## log file for the application

# log_file = 'dnscrypt-proxy.log'

## Use the system logger (syslog on Unix, Event Log on Windows)

# use_syslog = true

## Delay, in minutes, after which certificates are reloaded

cert_refresh_delay = 240

## DNSCrypt: Create a new, unique key for every single DNS query
## This may improve privacy but can also have a significant impact on CPU usage
## Only enable if you don't have a lot of network load

dnscrypt_ephemeral_keys = false

## DoH: Disable TLS session tickets - increases privacy but also latency

tls_disable_session_tickets = false

## DoH: Use a specific cipher suite instead of the server preference
## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
##
## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...),
## the following suite improves performance.
## This may also help on Intel CPUs running 32-bit operating systems.
##
## Keep tls_cipher_suite empty if you have issues fetching sources or
## connecting to some DoH servers. Google and Cloudflare are fine with it.

# tls_cipher_suite = [52392, 49199]

## Fallback resolver
## This is a normal, non-encrypted DNS resolver, that will be only used
## for one-shot queries when retrieving the initial resolvers list, and
## only if the system DNS configuration doesn't work.
## No user application queries will ever be leaked through this resolver,
## and it will not be used after IP addresses of resolvers URLs have been found.
## It will never be used if lists have already been cached, and if stamps
## don't include host names without IP addresses.
## It will not be used if the configured system DNS works.
## A resolver supporting DNSSEC is recommended. This may become mandatory.
##
## People in China may need to use 114.114.114.114:53 here.
## Other popular options include 8.8.8.8 and 1.1.1.1.

fallback_resolver = '223.5.5.5:53'

## Never let dnscrypt-proxy try to use the system DNS settings;
## unconditionally use the fallback resolver.

ignore_system_dns = true

## Maximum time (in seconds) to wait for network connectivity before
## initializing the proxy.
## Useful if the proxy is automatically started at boot, and network
## connectivity is not guaranteed to be immediately available.
## Use 0 to disable.

netprobe_timeout = 30

## Automatic log files rotation

# Maximum log files size in MB
log_files_max_size = 10

# How long to keep backup files, in days
log_files_max_age = 7

# Maximum log files backups to keep (or 0 to keep all backups)
log_files_max_backups = 1

#########################
#        Filters        #
#########################

## Immediately respond to IPv6-related queries with an empty response
## This makes things faster when there is no IPv6 connectivity, but can
## also cause reliability issues with some stub resolvers.
## Do not enable if you added a validating resolver such as dnsmasq in front
## of the proxy.

block_ipv6 = false

##################################################################################
#        Route queries for specific domains to a dedicated set of servers        #
##################################################################################

## Example map entries (one entry per line):
## example.com 9.9.9.9
## example.net 9.9.9.9,8.8.8.8,1.1.1.1

# forwarding_rules = 'forwarding-rules.txt'

###############################
#        Cloaking rules       #
###############################

## Cloaking returns a predefined address for a specific name.
## In addition to acting as a HOSTS file, it can also return the IP address
## of a different name. It will also do CNAME flattening.
##
## Example map entries (one entry per line)
## example.com     10.1.1.1
## www.google.com  forcesafesearch.google.com

# cloaking_rules = 'cloaking-rules.txt'

###########################
#        DNS cache        #
###########################

## Enable a DNS cache to reduce latency and outgoing traffic

cache = true

## Cache size

cache_size = 512

## Minimum TTL for cached entries

cache_min_ttl = 600

## Maximum TTL for cached entries

cache_max_ttl = 86400

## Minimum TTL for negatively cached entries

cache_neg_min_ttl = 60

## Maximum TTL for negatively cached entries

cache_neg_max_ttl = 600

###############################
#        Query logging        #
###############################

## Log client queries to a file

[query_log]

  ## Path to the query log file (absolute, or relative to the same directory as the executable file)

  # file = 'query.log'

  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'

  ## Do not log these query types, to reduce verbosity. Keep empty to log everything.

  # ignored_qtypes = ['DNSKEY', 'NS']

############################################
#        Suspicious queries logging        #
############################################

## Log queries for nonexistent zones
## These queries can reveal the presence of malware, broken/obsolete applications,
## and devices signaling their presence to 3rd parties.

[nx_log]

  ## Path to the query log file (absolute, or relative to the same directory as the executable file)

  # file = 'nx.log'

  ## Query log format (currently supported: tsv and ltsv)

  format = 'tsv'

######################################################
#        Pattern-based blocking (blacklists)        #
######################################################

## Blacklists are made of one pattern per line. Example of valid patterns:
##
##   example.com
##   =example.com
##   *sex*
##   ads.*
##   ads*.example.*
##   ads*.example[0-9]*.com
##
## Example blacklist files can be found at https://download.dnscrypt.info/blacklists/
## A script to build blacklists from public feeds can be found in the
## `utils/generate-domains-blacklists` directory of the dnscrypt-proxy source code.

[blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)

  # blacklist_file = 'blacklist.txt'

  ## Optional path to a file logging blocked queries

  # log_file = 'blocked.log'

  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'

###########################################################
#        Pattern-based IP blocking (IP blacklists)        #
###########################################################

## IP blacklists are made of one pattern per line. Example of valid patterns:
##
##   127.*
##   fe80:abcd:*
##   192.168.1.4

[ip_blacklist]

  ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file)

  # blacklist_file = 'ip-blacklist.txt'

  ## Optional path to a file logging blocked queries

  # log_file = 'ip-blocked.log'

  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'

######################################################
#   Pattern-based whitelisting (blacklists bypass)   #
######################################################

## Whitelists support the same patterns as blacklists
## If a name matches a whitelist entry, the corresponding session
## will bypass names and IP filters.
##
## Time-based rules are also supported to make some websites only accessible at specific times of the day.

[whitelist]

  ## Path to the file of whitelisting rules (absolute, or relative to the same directory as the executable file)

  # whitelist_file = 'whitelist.txt'

  ## Optional path to a file logging whitelisted queries

  # log_file = 'whitelisted.log'

  ## Optional log format: tsv or ltsv (default: tsv)

  # log_format = 'tsv'

##########################################
#        Time access restrictions        #
##########################################

## One or more weekly schedules can be defined here.
## Patterns in the name-based blocklist can optionally be followed with @schedule_name
## to apply the pattern 'schedule_name' only when it matches a time range of that schedule.
##
## For example, the following rule in a blacklist file:
## *.youtube.* @time-to-sleep
## would block access to YouTube only during the days, and period of the days
## define by the 'time-to-sleep' schedule.
##
## {after='21:00', before= '7:00'} matches 0:00-7:00 and 21:00-0:00
## {after= '9:00', before='18:00'} matches 9:00-18:00

[schedules]

  # [schedules.'time-to-sleep']
  # mon = [{after='21:00', before='7:00'}]
  # tue = [{after='21:00', before='7:00'}]
  # wed = [{after='21:00', before='7:00'}]
  # thu = [{after='21:00', before='7:00'}]
  # fri = [{after='23:00', before='7:00'}]
  # sat = [{after='23:00', before='7:00'}]
  # sun = [{after='21:00', before='7:00'}]

  # [schedules.'work']
  # mon = [{after='9:00', before='18:00'}]
  # tue = [{after='9:00', before='18:00'}]
  # wed = [{after='9:00', before='18:00'}]
  # thu = [{after='9:00', before='18:00'}]
  # fri = [{after='9:00', before='17:00'}]

#########################
#        Servers        #
#########################

## Remote lists of available servers
## Multiple sources can be used simultaneously, but every source
## requires a dedicated cache file.
##
## Refer to the documentation for URLs of public sources.
##
## A prefix can be prepended to server names in order to
## avoid collisions if different sources share the same for
## different servers. In that case, names listed in `server_names`
## must include the prefixes.
##
## If the `urls` property is missing, cache files and valid signatures
## must be already present; This doesn't prevent these cache files from
## expiring after `refresh_delay` hours.

[sources]

  ## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers

  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

  ## Another example source, with resolvers censoring some websites not appropriate for children
  ## This is a subset of the `public-resolvers` list, so enabling both is useless

  #  [sources.'parental-control']
  #  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/parental-control.md', 'https://download.dnscrypt.info/resolvers-list/v2/parental-control.md']
  #  cache_file = 'parental-control.md'
  #  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'

## Optional, local, static list of additional servers
## Mostly useful for testing your own servers.

[static]

  # [static.'google']
  # stamp = 'sdns://AgUAAAAAAAAAAAAOZG5zLmdvb2dsZS5jb20NL2V4cGVyaW1lbnRhbA'

[DarienRaymond]

对SELinux不了解，不知道它是如何判断出来的。

v2ray 在解析 JSON 时候会调用同目录下的 v2ctl。有可能是 SELinux 判断失误或者输出有问题。如果要避免 v2ray 调用 v2ctl，可以先把JSON转成protobuf:

/usr/local/bin/v2ray/v2ctl < /etc/v2ray/config.json > /etc/v2ray/config.pb

然后把 v2ray.service 中的命令改成：

/usr/local/bin/v2ray/v2ray --config /etc/v2ray/config.pb --format pb

[y0umu]

Sorry for the delaying. 首先，无意冒犯，但生成protobuf的命令是/usr/local/bin/v2ray/v2ctl config < /etc/v2ray/config.json > /etc/v2ray/config.pb而非 /usr/local/bin/v2ray/v2ctl < /etc/v2ray/config.json > /etc/v2ray/config.pb （开发者在对用户进行考核呢）

然后，我让v2ray读取protobuf文件并以systemd服务的方式启动。没问题。

接着，我以systemd服务形式启动dnscrypt-proxy。bang! SELinux警报：

SELinux is preventing (pt-proxy) from execute access on the 文件 /usr/local/bin/dnscrypt-proxy.

*****  插件 restorecon (99.5 置信度) 建议  ******************************************

If you want to fix the label. 
/usr/local/bin/dnscrypt-proxy default label should be bin_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /usr/local/bin/dnscrypt-proxy

*****  插件 catchall (1.49 置信度) 建议  ********************************************

If you believe that (pt-proxy) should be allowed execute access on the dnscrypt-proxy file by default.
Then 应该将这个情况作为 bug 报告。
可以生成本地策略模块以允许此访问。
Do
allow this access for now by executing:
# ausearch -c '(pt-proxy)' --raw | audit2allow -M my-ptproxy
# semodule -X 300 -i my-ptproxy.pp

更多信息:
源环境 (Context)                 system_u:system_r:init_t:s0
目标环境                          unconfined_u:object_r:user_home_t:s0
目标对象                          /usr/local/bin/dnscrypt-proxy [ file ]
源                             (pt-proxy)
源路径                           (pt-proxy)
端口                            <未知>
主机                            localhost.localdomain
源 RPM 软件包                     
目标 RPM 软件包                    
策略 RPM                        selinux-policy-3.14.1-24.fc28.noarch
Selinux 已启用                   True
策略类型                          targeted
强制模式                          Enforcing
主机名                           localhost.localdomain
平台                            Linux localhost.localdomain 4.16.8-300.fc28.x86_64
                              #1 SMP Wed May 9 20:23:40 UTC 2018 x86_64 x86_64
警报计数                          5
第一个                           2018-05-19 10:24:33 CST
最后一个                          2018-05-19 10:31:25 CST
本地 ID                         57134122-e3da-4eaf-977d-34c00a946bc7

原始核查信息
type=AVC msg=audit(1526697085.651:349): avc:  denied  { execute } for  pid=3942 comm="(pt-proxy)" name="dnscrypt-proxy" dev="sdb3" ino=529996 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

Hash: (pt-proxy),init_t,user_home_t,file,execute

好消息是v2ray不用背这个锅了。

坏消息是我不知直到pt-proxy是个啥，我的sudo ps -ef也没有关于pt-proxy的信息。更糟的是，我也不懂SELinux。

无论如何，感谢开发者。