Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gssproxy.service failing to start on upgrade to version 40.20240504.3.0 #165

Closed
bianchidotdev opened this issue May 26, 2024 · 4 comments · Fixed by #192
Closed

gssproxy.service failing to start on upgrade to version 40.20240504.3.0 #165

bianchidotdev opened this issue May 26, 2024 · 4 comments · Fixed by #192
Assignees
@bsherman
Labels
bug Something isn't working

Comments

@bianchidotdev
Copy link

Upon upgrade to ucore:stable version 40.20240504.3.0 from 39.20240407.3.0, I'm getting a systemd error for gssproxy. I'm struggling figuring out if this is specific to ucore or a more general CoreOS issue, but I thought I'd start here since it looks like it might be brought in with nfs-utils.

# on boot/shell start
[systemd]
Failed Units: 1
  gssproxy.service

# journal logs
-- Boot e5b6483a71bc4e929cfba32c7225679b --
May 25 18:58:03 localhost.localdomain systemd[1]: Starting gssproxy.service - GSSAPI Proxy Daemon...
May 25 18:58:03 localhost.localdomain (gssproxy)[1153]: gssproxy.service: Failed to set up special execution directory in /var/lib: Permission denied
May 25 18:58:03 localhost.localdomain systemd[1]: gssproxy.service: Control process exited, code=exited, status=238/STATE_DIRECTORY
May 25 18:58:03 localhost.localdomain systemd[1]: gssproxy.service: Failed with result 'exit-code'.
May 25 18:58:03 localhost.localdomain systemd[1]: Failed to start gssproxy.service - GSSAPI Proxy Daemon.

Unfortunately, I'm a noob when it comes to SELinux, but by momentarily disabling selinux and restarting gssproxy, it was able to create the necessary files/directory and now seems to run successfully. I'm not sure what the real solution would be though.
@mixedd69
Copy link

Can confirm that on my install of ucore:stable it's same

@sbor23
Copy link

sbor23 commented Jun 15, 2024

Same issue here, I just set up a fresh VM and bootstrapped from CoreOS today and issue only exists after rebasing to ucore-hci:stable.

@sbor23
Copy link

sbor23 commented Jun 15, 2024

FYI the SELinux error log is:

type=AVC msg=audit(1718489462.110:101): avc: denied { add_name } for pid=1375 comm="(gssproxy)" name="clients" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0

In cockpit, there is a solution provided:

ausearch -c '(gssproxy)' --raw | audit2allow -M my-gssproxy
semodule -X 300 -i my-gssproxy.pp

This seems to fix the gssproxy.service.
Caution: I have no idea how SELinux works or if this is a bad idea...

@TeamLinux01
Copy link

FYI the SELinux error log is:

type=AVC msg=audit(1718489462.110:101): avc: denied { add_name } for pid=1375 comm="(gssproxy)" name="clients" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0

In cockpit, there is a solution provided:

ausearch -c '(gssproxy)' --raw | audit2allow -M my-gssproxy
semodule -X 300 -i my-gssproxy.pp

This seems to fix the gssproxy.service. Caution: I have no idea how SELinux works or if this is a bad idea...

I was able to start the service after following the command to add gssproxy auditing and installing the module in SE linux (At least that is what I gather from the above command).

@bsherman bsherman self-assigned this Aug 24, 2024
@bsherman bsherman added the bug Something isn't working label Aug 24, 2024
bsherman added a commit that referenced this issue Aug 24, 2024
@bsherman
fix: gssproxy.service failing to start
56ec124 
Fixes: #165

This workaround should correct the gssproxy.service failure to start by
using tmpfiles to create the missing directories in /var/lib and a
service to restore the selinux labels on them.
@bsherman bsherman linked a pull request Aug 24, 2024 that will close this issue
fix: various selinux issues #192
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsherman bsherman

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: various selinux issues ublue-os/ucore
5 participants
@bsherman @sbor23 @bianchidotdev @mixedd69 @TeamLinux01