The latest victim of systemd's PrivateTmp…

Sam Varshavchik mrsam at courier-mta.com
Tue Jan 15 01:38:41 UTC 2013 

Rick Stevens writes:

> On 01/14/2013 05:15 PM, Sam Varshavchik issued this missive:
>> Tom Horsley writes:
>>
>>> On Mon, 14 Jan 2013 08:32:19 -0500
>>> Sam Varshavchik wrote:
>>>
>>> > … appears to be Apache. After installing the most recent systemd
>>> update:
>>> >
>>> > systemd[1429]: Failed at step NAMESPACE spawning /usr/sbin/httpd:
>>> Operation
>>> > not permitted
>>>
>>> I just installed updates (and rebooted) this morning and apache seems
>>> to be running
>>> fine on my desktop. I've got systemd-44-23.fc17.x86_64
>>
>> Yeah, some of my other machines seems to have survived. But all I know,
>> is that on a stripped down, headless box, this update broke Apache,
>> until I took out PrivateTmp out of httpd.service. Only systemd was
>> updated, apache wasn't. That's all I can figure out for now. The error
>> message text wasn't very helpful, and googling it around found a bunch
>> of references to PrivateTmp, so I took it out, and systemctl start
>> httpd.service worked. Put it back, systemd refuses to start it, take it
>> out, it works.
>
> Did you check to see if you have any selinux log entries pertaining to
> this? "Operation not permitted" smells selinux-ishy to me.

This stripped down box does not use selinux.

Jan 14 06:54:40 shorty kernel: [    3.219771] SELinux:  Disabled at runtime.
Jan 14 06:54:40 shorty kernel: [    3.249018] type=1404  
audit(1358164472.135:2): selinux=0 auid=4294967295 ses=4294967295

/etc/selinux/config has SELINUX=disabled

The only thing that comes to mind that I have non-standard is:

[root at shorty ~]# ls -al /var/www
lrwxrwxrwx. 1 root root 11 Apr 19  2011 /var/www -> ../home/www

But if this caused some unfathomable problem with systemd's PrivateTmp, I'd  
expect apache to barf, instead of systemd whining.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130114/62518ed3/attachment.sig>

More information about the users mailing list