search

wangyu- / tinyfecVPN

A VPN Designed for Lossy Links, with Build-in Forward Error Correction(FEC) Support. Improves your Network Quality on a High-latency Lossy Link.
MIT License
2.28k stars 456 forks source link

自己写service文件用systemctl启动tinyfecvpn会被selinux拒绝 #89

Open sslyd opened 4 years ago

sslyd commented 4 years ago

我想用systemd管理服务。自己写了个service文件。我直接执行启动命令可以启动tinyfecvpn,但是我写进service以后用systemctl启动会被selinux拒绝。我也试过用setcap cap_net_admin+ep ./tinyvpn_amd64,但是没用。只能关掉selinux使用嘛??

tinyfecvpn.service文件

[Unit]
Description=tinyfecvpn
After=network-online.target network-online.target

[Service]
Type=simple
User=root
Group=root
ExecStart=/tinyvpn_amd64 -s -l0.0.0.0:4096 -f20:10 -k "passwd" --sub-net 10.22.22.0

[Install]
WantedBy=multi-user.target

错误日志

Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]argc=8 /tinyvpn_amd64 -s -l0.0.0.0:4096 -f20:10 -k passwd --sub-net 10.22.22.0
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]parsing address: 0.0.0.0:4096
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]its an ipv4 adress
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]ip_address is {0.0.0.0}, port is {4096}
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]sub_net 10.22.22.0
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]jitter_min=0 jitter_max=0 output_interval_min=0 output_interval_max=0 fec_timeout=8 fec_mtu=1250 fec_queue_len=200 fec_mode=0
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]fec_str=20:10
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]fec_inner_parameter=1:10,2:10,3:10,4:10,5:10,6:10,7:10,8:10,9:10,10:10,11:10,12:10,13:10,14:10,15:10,16:10,17:10,18:10,19:10,20:10
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][INFO]using interface tun534
Nov 21 07:05:15 centos8 tinyvpn_amd64[15856]: [2019-11-21 07:05:15][FATAL]open /dev/net/tun failed

audit日志

type=AVC msg=audit(1574339380.860:351): avc:  denied  { ioctl } for  pid=16014 comm="tinyvpn_amd64" path="/dev/net/tun" dev="devtmpfs" ino=21999 ioctlcmd=0x54ca scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=1

type=AVC msg=audit(1574339380.860:351): avc:  denied  { create } for  pid=16014 comm="tinyvpn_amd64" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=tun_socket permissive=1

type=SYSCALL msg=audit(1574339380.860:351): arch=x86_64 syscall=ioctl success=yes exit=0 a0=5 a1=400454ca a2=7ffdab44fa50 a3=7f44491bf580 items=0 ppid=1 pid=16014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=tinyvpn_amd64 exe=/tinyvpn_amd64 subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=ioctl AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root