search

ublue-os / ucore

An OCI base image of Fedora CoreOS with batteries included
https://projectucore.io
Apache License 2.0
155 stars 32 forks source link

gssproxy.service failing to start on upgrade to version 40.20240504.3.0 #165

Closed bianchidotdev closed 1 month ago

bianchidotdev commented 4 months ago

Upon upgrade to ucore:stable version 40.20240504.3.0 from 39.20240407.3.0, I'm getting a systemd error for gssproxy. I'm struggling figuring out if this is specific to ucore or a more general CoreOS issue, but I thought I'd start here since it looks like it might be brought in with nfs-utils.

# on boot/shell start
[systemd]
Failed Units: 1
  gssproxy.service

# journal logs
-- Boot e5b6483a71bc4e929cfba32c7225679b --
May 25 18:58:03 localhost.localdomain systemd[1]: Starting gssproxy.service - GSSAPI Proxy Daemon...
May 25 18:58:03 localhost.localdomain (gssproxy)[1153]: gssproxy.service: Failed to set up special execution directory in /var/lib: Permission denied
May 25 18:58:03 localhost.localdomain systemd[1]: gssproxy.service: Control process exited, code=exited, status=238/STATE_DIRECTORY
May 25 18:58:03 localhost.localdomain systemd[1]: gssproxy.service: Failed with result 'exit-code'.
May 25 18:58:03 localhost.localdomain systemd[1]: Failed to start gssproxy.service - GSSAPI Proxy Daemon.

Unfortunately, I'm a noob when it comes to SELinux, but by momentarily disabling selinux and restarting gssproxy, it was able to create the necessary files/directory and now seems to run successfully. I'm not sure what the real solution would be though.

mixedd69 commented 3 months ago

Can confirm that on my install of ucore:stable it's same

sbor23 commented 3 months ago

Same issue here, I just set up a fresh VM and bootstrapped from CoreOS today and issue only exists after rebasing to ucore-hci:stable.

sbor23 commented 3 months ago

FYI the SELinux error log is:

type=AVC msg=audit(1718489462.110:101): avc: denied { add_name } for pid=1375 comm="(gssproxy)" name="clients" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0

In cockpit, there is a solution provided:

ausearch -c '(gssproxy)' --raw | audit2allow -M my-gssproxy
semodule -X 300 -i my-gssproxy.pp

This seems to fix the gssproxy.service. Caution: I have no idea how SELinux works or if this is a bad idea...

TeamLinux01 commented 3 months ago

FYI the SELinux error log is:

type=AVC msg=audit(1718489462.110:101): avc: denied { add_name } for pid=1375 comm="(gssproxy)" name="clients" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0

In cockpit, there is a solution provided:

ausearch -c '(gssproxy)' --raw | audit2allow -M my-gssproxy
semodule -X 300 -i my-gssproxy.pp

This seems to fix the gssproxy.service. Caution: I have no idea how SELinux works or if this is a bad idea...

I was able to start the service after following the command to add gssproxy auditing and installing the module in SE linux (At least that is what I gather from the above command).