詹金斯 - 执行外壳 - /bin/systemctl：无法执行：权限被拒绝

Question

目前，Jenkins shell 脚本不允许我运行以下任何命令，这让我发疯了。

• ssh user@domain 'commands'
• systemctl stop myservice
• 须藤

我一开始以为是因为tomcat对上面提到的服务没有执行权限。所以我修改了tomcat.service文件中的user属性，把文件放到/etc/systemd/system/目录下覆盖了默认设置。

• 我所有的 web 应用程序（包括 jenkins）都不是以“tomcat”运行，而是以“root”运行

很遗憾，这并没有解决问题。当我通过 PuTTy 登录 linux 机器时，这些命令运行良好。

这是来自 jenkins 的 shell 脚本 >> Jenkins 仪表板 > myproject > 配置 > Build -Execute Shell：

whoami 

whoami

service csoc-harvester stop

whoami

这是我的一份工作的日志：

Started by user Casey Christy
Running as SYSTEM
Building in workspace /var/lib/jenkins/workspace/CSOC-Harvester-Test
using credential 0196d60d-2a3a-43a4-9141-4967852d5318
 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url http://localhost:8080/gitblit/r/csoc-site.git # timeout=10
Fetching upstream changes from http://localhost:8080/gitblit/r/csoc-site.git
 > git --version # timeout=10
using GIT_ASKPASS to set credentials 
 > git fetch --tags --progress http://localhost:8080/gitblit/r/csoc-site.git +refs/heads/*:refs/remotes/origin/* # timeout=10
 > git rev-parse refs/remotes/origin/Test^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/Test^{commit} # timeout=10
Checking out Revision 8dd49848a7b08965887342ad83c9e8042eda6fbf (refs/remotes/origin/Test)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 8dd49848a7b08965887342ad83c9e8042eda6fbf # timeout=10
Commit message: "Rebuilt War from previous commit"
 > git rev-list --no-walk 8dd49848a7b08965887342ad83c9e8042eda6fbf # timeout=10
[CSOC-Harvester-Test] $ /bin/sh -xe /var/cache/tomcat/temp/jenkins8782561473354276343.sh
+ whoami
root
+ whoami
root
+ service csoc-harvester stop
Redirecting to /bin/systemctl stop csoc-harvester.service
/usr/sbin/service: line 87: /bin/systemctl: Permission denied
/usr/sbin/service: line 87: exec: /bin/systemctl: cannot execute: Permission denied
Build step 'Execute shell' marked build as failure
Finished: FAILURE

以下是服务的权限：

-rwxr-xr-x. 1 root root 717688 Aug 16  2018 systemctl
-rwxr-xr-x. 1 root root 778736 Apr 11  2018 ssh
---s--x--x. 1 root root 143248 Jun 27  2018 sudo

当我尝试将 sudo 添加到组合中时：

[CSOC-Harvester-Test] $ /bin/sh -xe /var/cache/tomcat/temp/jenkins4737512130372945873.sh
+ whoami
root
+ whoami
root
+ sudo service csoc-harvester stop
/var/cache/tomcat/temp/jenkins4737512130372945873.sh: line 6: sudo: command not found
Build step 'Execute shell' marked build as failure
Finished: FAILURE

由于找不到命令，我将路径添加到服务，我仍然得到：

[CSOC-Harvester-Test] $ /bin/sh -xe /var/cache/tomcat/temp/jenkins9072819074943432808.sh
+ whoami
root
+ whoami
root
+ /usr/bin/sudo service csoc-harvester stop
/var/cache/tomcat/temp/jenkins9072819074943432808.sh: line 6: /usr/bin/sudo: Permission denied
Build step 'Execute shell' marked build as failure
Finished: FAILURE

Answer 1

好吧，经过大量搜索，我想我找到了问题所在。在我对系统执行更新后，SELinux 必须已启用。

SELinux 是一个 Linux 内核模块，它提供了一个框架，用于为系统上的许多资源配置强制访问控制。

我禁用了 SELINUX，然后重新启动了我的虚拟机（关闭 VM，重新启动 VMware，打开 VM）。

键入nano /etc/sysconfig/selinux 并编辑要读取的文件：

#This file controls the state of SELinux on the system. 
#SELINUX= can take one of these three values: 
#   enforcing - SELinux security policy is enforced
#   permissive - SELinux prints warnings instead of enforcing
#   disabled - No SELinux policy is loaded
SELINUX = disabled 
#SELINUXTYPE = can take one of these two values: 
#   targeted - Targeted processes are protected
#   mls - Multi Level Security protection
SELINUXTYPE=targeted

我发现的另一个解决方案不是禁用 SELINUX，而是将 tomcat_t 守护进程的域（安全上下文）设置为许可模式。在许可模式下，不会强制执行该策略，但会针对该策略通常拒绝的访问生成日志。

输入semanage permissive -a tomcat_t