From 2468facd8ca960bb7abccffd1f90c4fe5c0be7eb Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Sat, 7 Dec 2024 15:33:09 +0800 Subject: [PATCH] Remove the NoNewPrivileges because it breaks the ability to open socket If NoNewPrivileges is true, it breaks the ability to open a socket under /var/lib/gssproxy when selinux enabled. The failed messages: Nov 30 11:37:33 localhost systemd[1]: Starting GSSAPI Proxy Daemon... Nov 30 11:37:34 localhost gssproxy[22445]: gssproxy[22445]: Failed to create Unix Socket! (13:Permission denied) Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Main process exited, code=exited, status=1/FAILURE Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Failed with result 'exit-code'. Nov 30 11:37:34 localhost systemd[1]: Failed to start GSSAPI Proxy Daemon. The audit log: type=SELINUX_ERR msg=audit(11/30/2024 11:37:34.067:189) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:gssproxy_t:s0 type=AVC msg=audit(11/30/2024 11:37:34.067:189) : avc: denied { nnp_transition } for pid=22445 comm=(gssproxy) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=process2 permissive=0 ---- type=AVC msg=audit(11/30/2024 11:37:34.080:190) : avc: denied { add_name } for pid=22445 comm=gssproxy name=default.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0 ---- type=SERVICE_START msg=audit(11/30/2024 11:37:34.082:191) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=gssproxy comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed' --- systemd/gssproxy.service.in | 1 - 1 file changed, 1 deletion(-) diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in index 9b8c45a..73f4385 100644 --- a/systemd/gssproxy.service.in +++ b/systemd/gssproxy.service.in @@ -54,7 +54,6 @@ PrivateMounts=yes SystemCallFilter=@system-service SystemCallErrorNumber=EPERM SystemCallArchitectures=native -NoNewPrivileges=yes CapabilityBoundingSet=CAP_DAC_OVERRIDE IPAddressDeny=any UMask=0177