mod-gearman-worker is no longer starting on EL 8.6 because of SELinux issue and PID file outside /var/run/

[pbiering]

after upgrading to EL 8.6 keeping 4.0.1

rpm -q mod_gearman
mod_gearman-4.0.1-1.el8.x86_64

following appears in log and is preventing mod-gearman-worker from keeping active:

May 17 10:53:19 *** systemd[1]: mod-gearman-worker.service: Can't convert PID files /var/mod_gearman/mod_gearman_worker.pid O_PATH file descriptor to proper file descriptor: Permission denied

Location of PID file should be changed to EL standard, means in this case

RPM should create directory /var/run/mod_gearman with user naemon

unit file needs to be changed: /usr/lib/systemd/system/mod-gearman-worker.service

PIDFile=/var/run/mod_gearman/mod_gearman_worker.pid
ExecStart=/usr/bin/mod_gearman_worker -d --config=/etc/mod_gearman/worker.conf --pidfile=/var/run/mod_gearman/mod_gearman_worker.pid

[pbiering]

while somehow this issue disappears in 8.7 with mod_gearman-4.0.4, it was found now also on 7.9 with mod_gearman-4.0.4

reason behind is following SElinux audit log

type=SERVICE_START msg=audit(1669637846.615:39369): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mod-gearman-worker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1669637928.132:39383): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mod-gearman-worker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1669637928.149:39384): avc:  denied  { read } for  pid=1 comm="systemd" name="mod_gearman_worker.pid" dev="dm-4" ino=4216588 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=AVC msg=audit(1669637928.149:39385): avc:  denied  { read } for  pid=1 comm="systemd" name="mod_gearman_worker.pid" dev="dm-4" ino=4216588 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=AVC msg=audit(1669637928.149:39386): avc:  denied  { read } for  pid=1 comm="systemd" name="mod_gearman_worker.pid" dev="dm-4" ino=4216588 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1669637947.972:39389): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mod-gearman-worker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1669637947.972:39390): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mod-gearman-worker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1669637947.982:39391): avc:  denied  { read } for  pid=1 comm="systemd" name="mod_gearman_worker.pid" dev="dm-4" ino=4216588 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
type=AVC msg=audit(1669637947.982:39392): avc:  denied  { open } for  pid=1 comm="systemd" path="/var/mod_gearman/mod_gearman_worker.pid" dev="dm-4" ino=4216588 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1
type=SERVICE_START msg=audit(1669637947.982:39393): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=mod-gearman-worker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

audit2allow tells missing policy:

#============= init_t ==============
allow init_t var_t:file { open read unlink };

[sni]

fixed in 1967c29ad3cff25a88e0874534d639dffdf15c4d