Errors Establishing communication with dbus

[joe-at-startupmedia]

Getting DBUS working on a tcp socket

This library establishes a connection to dbus over tcp. The problem is getting dbus to work with tcp on my Rocky Linux distro (rhel -based)

[root@startup-job-1 firewalld-gateway]# uname -a
Linux startup-job-1 5.14.0-427.20.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jun 7 14:51:39 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

1. Using CentOS7 is not an option
2. Using the docker image provided or debains-based distros is not an option, Rocky Linux 9 is required.

The first issue is this distro no longer uses dbus-daemon but dbus-broker-launch

cat /usr/lib/systemd/system/dbus-broker.service

[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-broker-launch(1)
DefaultDependencies=false
Before=basic.target shutdown.target
Requires=dbus.socket
Conflicts=shutdown.target

[Service]
Type=notify
Sockets=dbus.socket
OOMScoreAdjust=-900
LimitNOFILE=16384
ProtectSystem=full
PrivateTmp=true
PrivateDevices=true
ExecStart=/usr/bin/dbus-broker-launch --scope system --audit
ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig

[Install]
Alias=dbus.service

As such, following this method to open TCP doesn't work.
https://stackoverflow.com/questions/61327052/linux-dbus-remote-tcp-connection-with-systemd-fails

Modify /usr/lib/systemd/system/dbus.socket

[Unit]
Description=D-Bus System Message Bus Socket

[Socket]
ListenStream=/run/dbus/system_bus_socket
ListenStream=55556 # <-- added this line

[Install]
WantedBy=sockets.target

Adding that results in the following error:
Error: dbus-broker-launch[2476921]: More than one listener socket passed

dbus-broker doesn't like multiple listen streams specified in dbus.socket so we use dbus-daemon instead. This is what Centos 7 (rocky linux predecessor) is using.

Create a new system file at: /usr/lib/systemd/system/dbus.service

[Unit]
Description=D-Bus System Message Bus
Documentation=man:dbus-daemon(1)
Requires=dbus.socket

[Service]
ExecStart=/usr/bin/dbus-daemon --address=systemd: --system --nofork --nopidfile --systemd-activation --syslog-only
ExecReload=/usr/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
OOMScoreAdjust=-900

[Install]
# Make sure that services can still refer to this under the name of the
# old SysV script (messagebus).
Alias=dbus.service messagebus.service
WantedBy=multi-user.target

Create the uranus busconfig

cat  /usr/share/dbus-1/system.d/Uranus.conf

This is included by the system.conf file

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <listen>tcp:host=10.108.0.17,bind=*,port=55556,family=ipv4</listen>
  <listen>unix:tmpdir=/tmp</listen>

  <policy context="default">
      <deny receive_path="org.fedoraproject.FirewallD1" /> <!-- restrict all request -->
      <allow user="root" />
      <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
      <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
      <allow receive_sender="com.github.cylonchau.Uranus" receive_path="org.fedoraproject.FirewallD1" />
  </policy>

  <auth>ANONYMOUS</auth>
  <allow_anonymous/>

</busconfig>

To resolve this, I use dbus-daemon instead:

systemctl stop dbus
systemctl stop dbus.socket
dnf install dbus-daemon
systemctl daemon-reload
systemctl start dbus

Note: Make sure you have password access to your machine in case dbus crashes on reboot.

Confirm that DBUS is listening on TCP

netstat -tulpn | grep 55556
0.0.0.0:55556           0.0.0.0:*               LISTEN      2502463/dbus-daemon

Finally, now we have dbus listening on tcp

Next,

Establishing connection to Uranus

Error when attempting to create a host on the localst machine:

https://uranus.com/fw/v1/dashboard?ip=0.0.0.0

dbus-daemon[12158]: [system] Unable to set up new connection: Failed to read an SELinux context from connection
I0825 04:56:45.184303   12200 structure.go:38] Start connect to D-Bus service: 0.0.0.0:55556
E0825 04:56:45.185505   12200 structure.go:73] Connect to firewalld service failed: write tcp 127.0.0.1:38896->127.0.0.1:55556: write: broken pipe

remove the following line from /usr/share/dbus-1/system.conf
followed by restarting service results in the same error:
==> /var/log/pmond/dbus-daemon.log <==
dbus-daemon[12564]: [system] Unable to set up new connection: Failed to read an SELinux context from connection

Disable SELinux (not Permissive or Enabled) and reboot is the only solution I've found to suppress this error.

After rebooting the machine and attempting to list the host:

I0825 06:47:57.345890     849 structure.go:38] Start connect to D-Bus service: 10.108.0.17:55556
E0825 06:47:57.390132     849 structure.go:73] Connect to firewalld service failed: Name "org.fedoraproject.FirewallD1" does not exist

Adding this line to the firewalld buspolicy resolves this error

    <allow send_destination="org.fedoraproject.FirewallD1"
        send_interface="com.github.cylonchau.Uranus"/>

cat  /usr/share/dbus-1/system.d/FirewallD.conf

<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root can own the service and send signals -->
  <policy user="root">
    <allow own="org.fedoraproject.FirewallD1"/>
    <allow own="org.fedoraproject.FirewallD1.config"/>
    <allow send_destination="org.fedoraproject.FirewallD1"/>
    <allow send_destination="org.fedoraproject.FirewallD1.config"/>
  </policy>

  <!-- Allow anyone to invoke methods on the interfaces,
       authorization is performed by PolicyKit -->
  <policy context="default">
    <allow send_destination="org.fedoraproject.FirewallD1"/>
    <allow send_destination="org.fedoraproject.FirewallD1"
           send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="org.fedoraproject.FirewallD1"
      send_interface="org.freedesktop.DBus.Properties"/>
    <allow send_destination="org.fedoraproject.FirewallD1"
      send_interface="com.github.cylonchau.Uranus"/> <!-- added this line -->
    <allow send_destination="org.fedoraproject.FirewallD1.config"/>
  </policy>

</busconfig>

systemctl restart dbus
systemctl restart firewalld

Now restart dbus and attempt to list the policies again in the Uranus UI gives a new error:

I0825 06:40:11.095623     849 structure.go:38] Start connect to D-Bus service: 10.108.0.17:55556
E0825 06:40:11.142885     849 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.23'

Subsequent requests will result in the same error with an incremented UID

E0825 06:40:11.142885     849 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.24'

[joe-at-startupmedia]

Possibly related to this commit which is not available until godbus 5.0.6. This library is currently using 5.0.5: godbus/dbus@7ba66a7

• attempt to replicate after updating the godbus dependency

[cylonchau]

Because This isuue is about firewalld use dbus remotely connect firewalld dbus interface error #851 .

if i want use tcp remote connect over dbus procotol, but, the program can't get uid, this issue for usual facing over remote connect, the firewalld group said "This is not something we can reasonably support", so my remove the firewalld pokit kit and write this tutorial.

if i write a firewalld-agent, can resovle this issue, because on local Linux, program can get uid, but this solution need IT manager deploy many of agent on many Linux sever, that dificute, so i remove the pokit kit in firewalld code, and just provide a rpm/deb package to IT manager, IT manager just install, This does not require complicated operations, because each of our Linux has the dbus port enabled by default.

please refer install manual Setup firewalld section, you need without policy kit, my provide two version for debian 11 and centos 7, if you want other Linux OS pls refer without policy kit tutorial

About the redhat like, i just use until centos 7, the debian11 and detian 12 still using dbus-daemon. Rocky9 i will download and install to try you issue.

Thank you for you advise, I will try this new featrue.

[joe-at-startupmedia]

Interesting.

Just to clarify, this isn't exclusive to remote connections, adjusting the following parameters to use the loopback 127.0.0.1 results in the same error:

/usr/share/dbus-1/system.d/Uranus.conf

<listen>tcp:host=localhost,bind=127.0.0.1,port=55556,family=ipv4</listen>

firewalld-gateway.toml

appname = "Uranus"
port = 2952
address = "127.0.0.1" # <-- use loopback
dbus_port = 55556
mission_retry_number = 3
async_process = true
database_driver = "sqlite"

I0826 01:01:58.231151    2424 structure.go:38] Start connect to D-Bus service: 127.0.0.1:55556
E0826 01:01:58.278588    2424 structure.go:73] Connect to firewalld service failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: Could not determine UID for ':1.18'

---

At this point Rocky9 is using firewalld version 1.3.4. Modifying both the firewalld and firewall-cmd packages are possible but frankly not worth the configuration overhead nor the security risks. Just to be clear this is what is required (so far) to get this package working on the latest RHEL-based distros:

1. disable the default dbus mechanism to use dbus-dameon istead of dbus-broker
2. disable selinux completely (not ideal, at least there is some audit capability with Permissive)
3. creating a Uranus dbus policy that allows anonymous authentication (security risk?)
4. modify the firewalld package and rebuild and package them for internal distribution
5. modify the firewall-cmd package and rebuild and package them for internal distribution

Honestly this is way too much work and introduces more security vulnerabilities than it's worth. At this point for the adoptability or this project I would highly recommend:

1. Switching the dbus communication method to use the socket authentication mechanism since TCP is basically de-facto unsupported https://www.freedesktop.org/wiki/Software/DBusRemote/
2. Utilizing a Uranus agent (installed on all machines) to establish communication between the dbus socket and the remote Uranus API

[cylonchau]

@joe-at-startupmedia Uranus-agent not final choice, although this approach is simpler than now architecture, if use agent, I have more choices and no need for firewalld. but that code is more than firewalld, because firewalld can suitable run on iptables and nftables. I will adapt as soon as possible rocky9 like.