Branch: refs/heads/main
Home: https://github.com/gssapi/gssproxy
Commit: 6874c569ee743312cebff91e7146267f185f0332
https://github.com/gssapi/gssproxy/commit/6874c569ee743312cebff91e7146267f1…
Author: yixiangzhike <yixiangzhike007(a)163.com>
Date: 2024-12-10 (Tue, 10 Dec 2024)
Changed paths:
M systemd/gssproxy.service.in
Log Message:
-----------
Remove the NoNewPrivileges because it breaks the ability to open socket
If NoNewPrivileges is true, it breaks the ability to open a socket
under /var/lib/gssproxy when selinux enabled.
The failed messages:
Nov 30 11:37:33 localhost systemd[1]: Starting GSSAPI Proxy Daemon...
Nov 30 11:37:34 localhost gssproxy[22445]: gssproxy[22445]: Failed to create Unix Socket! (13:Permission denied)
Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Main process exited, code=exited, status=1/FAILURE
Nov 30 11:37:34 localhost systemd[1]: gssproxy.service: Failed with result 'exit-code'.
Nov 30 11:37:34 localhost systemd[1]: Failed to start GSSAPI Proxy Daemon.
The audit log:
type=SELINUX_ERR msg=audit(11/30/2024 11:37:34.067:189) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:gssproxy_t:s0
type=AVC msg=audit(11/30/2024 11:37:34.067:189) : avc: denied { nnp_transition } for pid=22445 comm=(gssproxy) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=process2 permissive=0
----
type=AVC msg=audit(11/30/2024 11:37:34.080:190) : avc: denied { add_name } for pid=22445 comm=gssproxy name=default.sock scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gssproxy_var_lib_t:s0 tclass=dir permissive=0
----
type=SERVICE_START msg=audit(11/30/2024 11:37:34.082:191) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=gssproxy comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed'
Signed-off-by: yixiangzhike <yixiangzhike007(a)163.com>
To unsubscribe from these emails, change your notification settings at https://github.com/gssapi/gssproxy/settings/notifications