Getting DBUS working on a tcp socket
This library establishes a connection to dbus over tcp. The problem is getting dbus to work with tcp on my Rocky Linux distro (rhel -based)
[root@startup-job-1 firewalld-gateway]# uname -a
Linux startup-job-1 5.14.0-427.20.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jun 7 14:51:39 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
- Using CentOS7 is not an option
- Using the docker image provided or debains-based distros is not an option, Rocky Linux 9 is required.
The first issue is this distro no longer uses dbus-daemon but dbus-broker-launch
cat /usr/lib/systemd/system/dbus-broker.service
[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-broker-launch(1)
DefaultDependencies=false
Before=basic.target shutdown.target
Requires=dbus.socket
Conflicts=shutdown.target
[Service]
Type=notify
Sockets=dbus.socket
OOMScoreAdjust=-900
LimitNOFILE=16384
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
ExecStart=/usr/bin/dbus-broker-launch --scope system --audit
ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig
[Install]
Alias=dbus.service
As such, following this method to open TCP doesn't work.
https://stackoverflow.com/questions/61327052/linux-dbus-remote-tcp-connection-with-systemd-fails
Modify /usr/lib/systemd/system/dbus.socket
[Unit]
Description=D-Bus System Message Bus Socket
[Socket]
ListenStream=/run/dbus/system_bus_socket
ListenStream=55556 # <-- added this line
[Install]
WantedBy=sockets.target
Adding that results in the following error:
Error: dbus-broker-launch[2476921]: More than one listener socket passed
dbus-broker doesn't like multiple listen streams specified in dbus.socket so we use dbus-daemon instead. This is what Centos 7 (rocky linux predecessor) is using.
Create a new system file at: /usr/lib/systemd/system/dbus.service
[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket
[Service]
ExecStart=/usr/bin/dbus-daemon --address=systemd: --system --nofork --nopidfile --systemd-activation --syslog-only
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900
[Install]
# Make sure that services can still refer to this under the name of the
# old SysV script (messagebus).
Alias=dbus.service messagebus.service
WantedBy=multi-user.target
Create the uranus busconfig
cat /usr/share/dbus-1/system.d/Uranus.conf
This is included by the system.conf file
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>tcp:host=10.108.0.17,bind=*,port=55556,family=ipv4</listen>
<listen>unix:tmpdir=/tmp</listen>
<policy context="default">
<deny receive_path="org.fedoraproject.FirewallD1" /> <!-- restrict all request -->
<allow user="root" />
<allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
<!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow -->
<allow receive_sender="com.github.cylonchau.Uranus" receive_path="org.fedoraproject.FirewallD1" />
</policy>
<auth>ANONYMOUS</auth>
<allow_anonymous/>
</busconfig>
To resolve this, I use dbus-daemon instead:
systemctl stop dbus
systemctl stop dbus.socket
dnf install dbus-daemon
systemctl daemon-reload
systemctl start dbus
Note: Make sure you have password access to your machine in case dbus crashes on reboot.
Confirm that DBUS is listening on TCP
netstat -tulpn | grep 55556
0.0.0.0:55556 0.0.0.0:* LISTEN 2502463/dbus-daemon
Finally, now we have dbus listening on tcp
Next,
Establishing connection to Uranus
Error when attempting to create a host on the localst machine:
https://uranus.com/fw/v1/dashboard?ip=0.0.0.0
dbus-daemon[12158]: [system] Unable to set up new connection: Failed to read an SELinux context from connection
I0825 04:56:45.184303 12200 structure.go:38] Start connect to D-Bus service: 0.0.0.0:55556
E0825 04:56:45.185505 12200 structure.go:73] Connect to firewalld service failed: write tcp 127.0.0.1:38896->127.0.0.1:55556: write: broken pipe
remove the following line from /usr/share/dbus-1/system.conf
followed by restarting service results in the same error:
==> /var/log/pmond/dbus-daemon.log <==
dbus-daemon[12564]: [system] Unable to set up new connection: Failed to read an SELinux context from connection
Disable SELinux (not Permissive or Enabled) and reboot is the only solution I've found to suppress this error.
After rebooting the machine and attempting to list the host:
I0825 06:47:57.345890 849 structure.go:38] Start connect to D-Bus service: 10.108.0.17:55556
E0825 06:47:57.390132 849 structure.go:73] Connect to firewalld service failed: Name "org.fedoraproject.FirewallD1" does not exist
Adding this line to the firewalld buspolicy resolves this error
<allow send_destination="org.fedoraproject.FirewallD1"
send_interface="com.github.cylonchau.Uranus"/>
cat /usr/share/dbus-1/system.d/FirewallD.conf
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the service and send signals -->
<policy user="root">
<allow own="org.fedoraproject.FirewallD1"/>
<allow own="org.fedoraproject.FirewallD1.config"/>
<allow send_destination="org.fedoraproject.FirewallD1"/>
<allow send_destination="org.fedoraproject.FirewallD1.config"/>
</policy>
<!-- Allow anyone to invoke methods on the interfaces,
authorization is performed by PolicyKit -->
<policy context="default">
<allow send_destination="org.fedoraproject.FirewallD1"/>
<allow send_destination="org.fedoraproject.FirewallD1"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.fedoraproject.FirewallD1"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.fedoraproject.FirewallD1"
send_interface="com.github.cylonchau.Uranus"/> <!-- added this line -->
<allow send_destination="org.fedoraproject.FirewallD1.config"/>
</policy>
</busconfig>
systemctl restart dbus
systemctl restart firewalld
Now restart dbus and attempt to list the policies again in the Uranus UI gives a new error:
I0825 06:40:11.095623 849 structure.go:38] Start connect to D-Bus service: 10.108.0.17:55556
E0825 06:40:11.142885 849 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.23'
Subsequent requests will result in the same error with an incremented UID
E0825 06:40:11.142885 849 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.24'