Ben
Reputation: 730
Selinux is blocking Node service from starting via systemd unit file
I am having a NodeJS application which runs fine when I start it manually with "npm run server". My app runs on Linux Centos8. If I start the app as a service via the unit file below then it doesn't start when setenforce=1 (selinux is enforcing). If I switch of selinux with setenforce=0 then the service starts when executing "systemctl start translationtable"
This is mij unitfile which is located in /etc/systemd/system/translationtable.service:
[Unit]
Description=TranslationtableService
After=network.target
[Service]
WorkingDirectory=/opt/nodejs/translationtable
ExecStart=/usr/bin/npm run server
Type=simple
User=sa-builder
Group=sa-builder
[Install]
WantedBy=multi-user.target
This is the error I am getting after starting the service with: systemctl status translationtable
translationtable.service - TranslationtableService
Loaded: loaded (/etc/systemd/system/translationtable.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2020-05-17 10:32:04 CEST; 4s ago
Process: 11815 ExecStart=/usr/bin/npm run server (code=exited, status=203/EXEC)
Main PID: 11815 (code=exited, status=203/EXEC)
May 17 10:32:04 ac8app01.myexample.nl systemd[1]: Started TranslationtableService.
May 17 10:32:04 ac8app01.myexample.nl systemd[1]: translationtable.service: Main process exited, code=exited, status=203/EXEC
May 17 10:32:04 ac8app01.myexample.nl systemd[1]: translationtable.service: Failed with result 'exit-code'.
[root@ac8app01 translationtable]# vi /etc/systemd/system/translationtable.service
[root@ac8app01 translationtable]# systemctl status translationtable
translationtable.service - TranslationtableService
Loaded: loaded (/etc/systemd/system/translationtable.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2020-05-17 10:32:04 CEST; 8min ago
Process: 11815 ExecStart=/usr/bin/npm run server (code=exited, status=203/EXEC)
Main PID: 11815 (code=exited, status=203/EXEC)
May 17 10:32:04 ac8app01.myexample.nl systemd[1]: Started TranslationtableService.
May 17 10:32:04 ac8app01.myexample.nl systemd[1]: translationtable.service: Main process exited, code=exited, status=203/EXEC
May 17 10:32:04 ac8app01.myexample.nl systemd[1]: translationtable.service: Failed with result 'exit-code'.
my app runs in /opt/nodejs/translationtable
I tryed lot of things for example adding context to selinux as a lucky shot:
semanage fcontext -a --type httpd_sys_rw_content_t '/usr/bin/npm(/.*)?'
chcon -R -t httpd_sys_content_t /usr/bin/npm
chcon -R -t httpd_sys_rw_content_t /usr/bin/npm
semanage fcontext -a --type httpd_sys_rw_content_t '/opt/nodejs/translationtable(/.*)?'
chcon -R -t httpd_sys_content_t /opt/nodejs/translationtable
chcon -R -t httpd_sys_rw_content_t /opt/nodejs/translationtable
I also added the context of my /var/log/audit/audit.log file where there are a lot of denys regarding selinux context things:
type=SERVICE_START msg=audit(1589712010.061:95): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=translationtable comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=AVC msg=audit(1589712010.091:96): avc: denied { read } for pid=1974 comm="(npm)" name="npm" dev="dm-0" ino=50690435 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=1
type=SYSCALL msg=audit(1589712010.091:96): arch=c000003e syscall=59 success=yes exit=0 a0=55c7f2a8e1e0 a1=55c7f29fc8f0 a2=55c7f2aaad70 a3=55c7f2852010 items=0 ppid=1 pid=1974 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="npm" exe="/usr/bin/node" subj=system_u:system_r:init_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="unset" UID="sa-builder" GID="sa-builder" EUID="sa-builder" SUID="sa-builder" FSUID="sa-builder" EGID="sa-builder" SGID="sa-builder" FSGID="sa-builder"
type=PROCTITLE msg=audit(1589712010.091:96): proctitle=2F7573722F62696E2F6E6F6465002F7573722F62696E2F6E706D0072756E00736572766572
type=AVC msg=audit(1589712010.876:97): avc: denied { execmem } for pid=1974 comm="npm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(1589712010.876:97): arch=c000003e syscall=10 success=yes exit=0 a0=84f68104000 a1=7b000 a2=5 a3=0 items=0 ppid=1 pid=1974 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="npm" exe="/usr/bin/node" subj=system_u:system_r:init_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=mprotect AUID="unset" UID="sa-builder" GID="sa-builder" EUID="sa-builder" SUID="sa-builder" FSUID="sa-builder" EGID="sa-builder" SGID="sa-builder" FSGID="sa-builder"
type=PROCTITLE msg=audit(1589712010.876:97): proctitle=2F7573722F62696E2F6E6F6465002F7573722F62696E2F6E706D0072756E00736572766572
type=AVC msg=audit(1589712011.007:98): avc: denied { getattr } for pid=1974 comm="npm" path="/usr/bin/npm" dev="dm-0" ino=50690435 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=1
type=SYSCALL msg=audit(1589712011.007:98): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7ffcbba58e78 a2=100 a3=fff items=0 ppid=1 pid=1974 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="npm" exe="/usr/bin/node" subj=system_u:system_r:init_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="sa-builder" GID="sa-builder" EUID="sa-builder" SUID="sa-builder" FSUID="sa-builder" EGID="sa-builder" SGID="sa-builder" FSGID="sa-builder"
type=PROCTITLE msg=audit(1589712011.007:98): proctitle=2F7573722F62696E2F6E6F6465002F7573722F62696E2F6E706D0072756E00736572766572
type=AVC msg=audit(1589712012.976:99): avc: denied { read } for pid=1974 comm="npm" name="translationtable" dev="dm-0" ino=51493520 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1589712012.976:99): arch=c000003e syscall=257 success=yes exit=18 a0=ffffff9c a1=55e9fe518330 a2=90800 a3=0 items=0 ppid=1 pid=1974 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="npm" exe="/usr/bin/node" subj=system_u:system_r:init_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="sa-builder" GID="sa-builder" EUID="sa-builder" SUID="sa-builder" FSUID="sa-builder" EGID="sa-builder" SGID="sa-builder" FSGID="sa-builder"
type=PROCTITLE msg=audit(1589712012.976:99): proctitle="npm"
type=AVC msg=audit(1589712012.995:100): avc: denied { read } for pid=1974 comm="npm" name="package.json" dev="dm-0" ino=51493542 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1589712012.995:100): avc: denied { open } for pid=1974 comm="npm" path="/opt/nodejs/translationtable/package.json" dev="dm-0" ino=51493542 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1589712012.995:100): arch=c000003e syscall=257 success=yes exit=19 a0=ffffff9c a1=7ffcbba556e8 a2=80000 a3=0 items=0 ppid=1 pid=1974 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="npm" exe="/usr/bin/node" subj=system_u:system_r:init_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="sa-builder" GID="sa-builder" EUID="sa-builder" SUID="sa-builder" FSUID="sa-builder" EGID="sa-builder" SGID="sa-builder" FSGID="sa-builder"
type=PROCTITLE msg=audit(1589712012.995:100): proctitle=2F7573722F62696E2F6E6F6465002F7573722F62696E2F6E706D0072756E00736572766572
type=AVC msg=audit(1589712013.025:101): avc: denied { getattr } for pid=1974 comm="npm" path="/opt/nodejs/translationtable/package.json" dev="dm-0" ino=51493542 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1589712013.025:101): arch=c000003e syscall=332 success=yes exit=0 a0=13 a1=55e9fc9d1339 a2=1000 a3=fff items=0 ppid=1 pid=1974 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="npm" exe="/usr/bin/node" subj=system_u:system_r:init_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="sa-builder" GID="sa-builder" EUID="sa-builder" SUID="sa-builder" FSUID="sa-builder" EGID="sa-builder" SGID="sa-builder" FSGID="sa-builder"
type=PROCTITLE msg=audit(1589712013.025:101): proctitle=2F7573722F62696E2F6E6F6465002F7573722F62696E2F6E706D0072756E00736572766572
Nothing seems to work, I get a terrible headache of selinux. Anybody have an idea ?
Upvotes: 2
Views: 5402
Answers (1)
Chris
Reputation: 935
Check /var/log/messages for errors and suggestions. Example:
SELinux is preventing /usr/lib/systemd/systemd from <permission> on file <file>
For complete SELinux messages run: sealert -l <some-id>
You can then run the sealert command to get detailed information about the problem and how to correct it. (ausearch/audit2allow commands will be in the detailed info output from sealert )
Upvotes: 1
Related Questions
- Why is systemd service giving an error on start
- Systemd node app failing to start
- How to run node.js script from systemd service
- Running npm start from ExecStart in systemctl service file
- Systemd + NPM start
- systemd for NodeJS permission issue
- Node.js script failed to start with systemctl
- Unable to run node app using systemd
- Ubuntu Nodejs systemd service failure
- Systemd service failing on startup