Skip to content

Commit 6874c56

Browse files
yixiangzhikesimo5
yixiangzhike
authored and
simo5
committed
Remove the NoNewPrivileges because it breaks the ability to open socket
If NoNewPrivileges is true, it breaks the ability to open a socket under /var/lib/gssproxy when selinux enabled. The failed messages: Nov 30 11:37:33 localhost systemd[1]: Starting GSSAPI Proxy Daemon... Nov 30 11:37:34 localhost gssproxy[22445]: gssproxy[22445]: Failed to create Unix Socket! (13:Permission denied) Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Main process exited, code=exited, status=1/FAILURE Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Failed with result 'exit-code'. Nov 30 11:37:34 localhost systemd[1]: Failed to start GSSAPI Proxy Daemon. The audit log: type=SELINUX_ERR msg=audit(11/30/2024 11:37:34.067:189) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:gssproxy_t:s0 type=AVC msg=audit(11/30/2024 11:37:34.067:189) : avc: denied { nnp_transition } for pid=22445 comm=(gssproxy) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=process2 permissive=0 ---- type=AVC msg=audit(11/30/2024 11:37:34.080:190) : avc: denied { add_name } for pid=22445 comm=gssproxy name=default.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0 ---- type=SERVICE_START msg=audit(11/30/2024 11:37:34.082:191) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=gssproxy comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed' Signed-off-by: yixiangzhike <[email protected]>
1 parent b954728 commit 6874c56

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

systemd/gssproxy.service.in

+4-1
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,10 @@ PrivateMounts=yes
5454
SystemCallFilter=@system-service
5555
SystemCallErrorNumber=EPERM
5656
SystemCallArchitectures=native
57-
NoNewPrivileges=yes
57+
# NoNewPrivileges=yes
58+
# NoNewPrivileges: If it is true, it breaks the ability
59+
# to open a socket under /var/lib/gssproxy when selinux enabled.
60+
# So it is commented out here.
5861
CapabilityBoundingSet=CAP_DAC_OVERRIDE
5962
IPAddressDeny=any
6063
UMask=0177

0 commit comments

Comments
 (0)