systemctl disable firewalld Failed to disable unit: Access denied

1、问题描述
无法禁用firewalld服务

[root@controller ~]# systemctl disable firewalld
Failed to disable unit: Access denied
[root@controller ~]# cat /etc/sudoers.d/stack 
stack ALL=(ALL) NOPASSWD: ALL
[root@controller ~]# su - stack
[stack@controller ~]$ sudo systemctl disable firewalld.service
Failed to disable unit: Access denied

2、问题分析
可能是因为selinux是以Enforcing模式运行。这里我们查看下firewalld服务的selinux安全上下文。

可以看到selinux上下文是不一样的，前者为systemd_unit_file_t，后者为firewalld_unit_file_t

[root@controller multi-user.target.wants]# pwd
/etc/systemd/system/multi-user.target.wants
[root@controller multi-user.target.wants]# ll -Z /etc/systemd/system/multi-user.target.wants/firewalld.service
lrwxrwxrwx. 1 root root system_u:object_r:systemd_unit_file_t:s0 41 Jun 10 10:05 /etc/systemd/system/multi-user.target.wants/firewalld.service -> /usr/lib/systemd/system/firewalld.service
[root@controller multi-user.target.wants]# ll -Z /usr/lib/systemd/system/firewalld.service
-rw-r--r--. 1 root root system_u:object_r:firewalld_unit_file_t:s0 674 Aug  9  2021 /usr/lib/systemd/system/firewalld.service

3、问题解决
修改文件 /etc/systemd/system/multi-user.target.wants/firewalld.service 的 selinux安全上下文为 firewalld_unit_file_t

[root@controller ~]# chcon -R -t firewalld_unit_file_t /etc/systemd/system/multi-user.target.wants/firewalld.service
[root@controller ~]# ll -Z /etc/systemd/system/multi-user.target.wants/firewalld.service
lrwxrwxrwx. 1 root root system_u:object_r:firewalld_unit_file_t:s0 41 Jun 10 10:05 /etc/systemd/system/multi-user.target.wants/firewalld.service -> /usr/lib/systemd/system/firewalld.service

重启！！！！

4、重新禁用firewalld服务，问题解决！！！

[root@controller ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@controller ~]# getenforce 
Enforcing