Systemd fails to start service as root
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I'm trying to start a service to sign the VirtualBox kernel modules, following https://nidomiro.de/2018/04/automatic-virtualbox-module-signing-for-uefi/
After adjusting the paths referenced in the bash script for Fedora, the script works when run manually as root. However, the service always fails:
$ systemctl status sign-virtualbox.service
â sign-virtualbox.service - Signing VirtualBox Kernel Modules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code)
Process: 3018 ExecStart=/root/module-signing/sign-vbox-modules.sh (code=exited, status=203/EXEC)
Main PID: 3018 (code=exited, status=203/EXEC)
The output of sudo journalctl -xe
says sign-virtualbox.service: Failed at step EXEC spawning /root/module-signing/sign-vbox-modules.sh: Permission denied
File permissions:
$ sudo ls -l /root/module-signing/sign-vbox-modules.sh
-rwx------. 1 root root 309 Aug 7 11:35 /root/module-signing/sign-vbox-modules.sh
Since the service is started as root, there shouldn't be a permissions issue, should there?
systemd
add a comment |Â
up vote
1
down vote
favorite
I'm trying to start a service to sign the VirtualBox kernel modules, following https://nidomiro.de/2018/04/automatic-virtualbox-module-signing-for-uefi/
After adjusting the paths referenced in the bash script for Fedora, the script works when run manually as root. However, the service always fails:
$ systemctl status sign-virtualbox.service
â sign-virtualbox.service - Signing VirtualBox Kernel Modules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code)
Process: 3018 ExecStart=/root/module-signing/sign-vbox-modules.sh (code=exited, status=203/EXEC)
Main PID: 3018 (code=exited, status=203/EXEC)
The output of sudo journalctl -xe
says sign-virtualbox.service: Failed at step EXEC spawning /root/module-signing/sign-vbox-modules.sh: Permission denied
File permissions:
$ sudo ls -l /root/module-signing/sign-vbox-modules.sh
-rwx------. 1 root root 309 Aug 7 11:35 /root/module-signing/sign-vbox-modules.sh
Since the service is started as root, there shouldn't be a permissions issue, should there?
systemd
When you realize why this duplicates unix.stackexchange.com/questions/208736 , you will know what to do. (-:
â JdeBP
Aug 7 at 16:10
@JdeBP How do I determine the correct SELinux context to assign to the files? The answer to the question to which you linked doesn't really answer the question beyond "SELinux contexts exist, get yours right"
â zaen
Aug 7 at 19:03
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I'm trying to start a service to sign the VirtualBox kernel modules, following https://nidomiro.de/2018/04/automatic-virtualbox-module-signing-for-uefi/
After adjusting the paths referenced in the bash script for Fedora, the script works when run manually as root. However, the service always fails:
$ systemctl status sign-virtualbox.service
â sign-virtualbox.service - Signing VirtualBox Kernel Modules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code)
Process: 3018 ExecStart=/root/module-signing/sign-vbox-modules.sh (code=exited, status=203/EXEC)
Main PID: 3018 (code=exited, status=203/EXEC)
The output of sudo journalctl -xe
says sign-virtualbox.service: Failed at step EXEC spawning /root/module-signing/sign-vbox-modules.sh: Permission denied
File permissions:
$ sudo ls -l /root/module-signing/sign-vbox-modules.sh
-rwx------. 1 root root 309 Aug 7 11:35 /root/module-signing/sign-vbox-modules.sh
Since the service is started as root, there shouldn't be a permissions issue, should there?
systemd
I'm trying to start a service to sign the VirtualBox kernel modules, following https://nidomiro.de/2018/04/automatic-virtualbox-module-signing-for-uefi/
After adjusting the paths referenced in the bash script for Fedora, the script works when run manually as root. However, the service always fails:
$ systemctl status sign-virtualbox.service
â sign-virtualbox.service - Signing VirtualBox Kernel Modules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code)
Process: 3018 ExecStart=/root/module-signing/sign-vbox-modules.sh (code=exited, status=203/EXEC)
Main PID: 3018 (code=exited, status=203/EXEC)
The output of sudo journalctl -xe
says sign-virtualbox.service: Failed at step EXEC spawning /root/module-signing/sign-vbox-modules.sh: Permission denied
File permissions:
$ sudo ls -l /root/module-signing/sign-vbox-modules.sh
-rwx------. 1 root root 309 Aug 7 11:35 /root/module-signing/sign-vbox-modules.sh
Since the service is started as root, there shouldn't be a permissions issue, should there?
systemd
systemd
asked Aug 7 at 15:58
zaen
154
154
When you realize why this duplicates unix.stackexchange.com/questions/208736 , you will know what to do. (-:
â JdeBP
Aug 7 at 16:10
@JdeBP How do I determine the correct SELinux context to assign to the files? The answer to the question to which you linked doesn't really answer the question beyond "SELinux contexts exist, get yours right"
â zaen
Aug 7 at 19:03
add a comment |Â
When you realize why this duplicates unix.stackexchange.com/questions/208736 , you will know what to do. (-:
â JdeBP
Aug 7 at 16:10
@JdeBP How do I determine the correct SELinux context to assign to the files? The answer to the question to which you linked doesn't really answer the question beyond "SELinux contexts exist, get yours right"
â zaen
Aug 7 at 19:03
When you realize why this duplicates unix.stackexchange.com/questions/208736 , you will know what to do. (-:
â JdeBP
Aug 7 at 16:10
When you realize why this duplicates unix.stackexchange.com/questions/208736 , you will know what to do. (-:
â JdeBP
Aug 7 at 16:10
@JdeBP How do I determine the correct SELinux context to assign to the files? The answer to the question to which you linked doesn't really answer the question beyond "SELinux contexts exist, get yours right"
â zaen
Aug 7 at 19:03
@JdeBP How do I determine the correct SELinux context to assign to the files? The answer to the question to which you linked doesn't really answer the question beyond "SELinux contexts exist, get yours right"
â zaen
Aug 7 at 19:03
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
Execution of the binary is probably being blocked by SELinux. You can confirm that from the journal logs or perhaps from the audit logs (in /var/log/audit/audit.log
) searching for "avc" errors.
To solve this problem, I'd recommend you host this script from a directory where scripts and binaries are typically located, such as /usr/local/bin
, instead of under the home directory of the root user.
Once you move this script there, run restorecon
on it to get it to the proper SELinux type (which should be system_u:object_r:bin_t:s0
or similar.)
So:
mv /root/module-signing/sign-vbox-modules.sh /usr/local/bin/
restorecon /usr/local/bin/sign-vbox-modules.sh
And edit your systemd service file to update the path.
And if you want to inspect that it has an appropriate SELinux type:
ls -lZ /usr/local/bin/sign-vbox-modules.sh
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Execution of the binary is probably being blocked by SELinux. You can confirm that from the journal logs or perhaps from the audit logs (in /var/log/audit/audit.log
) searching for "avc" errors.
To solve this problem, I'd recommend you host this script from a directory where scripts and binaries are typically located, such as /usr/local/bin
, instead of under the home directory of the root user.
Once you move this script there, run restorecon
on it to get it to the proper SELinux type (which should be system_u:object_r:bin_t:s0
or similar.)
So:
mv /root/module-signing/sign-vbox-modules.sh /usr/local/bin/
restorecon /usr/local/bin/sign-vbox-modules.sh
And edit your systemd service file to update the path.
And if you want to inspect that it has an appropriate SELinux type:
ls -lZ /usr/local/bin/sign-vbox-modules.sh
add a comment |Â
up vote
0
down vote
accepted
Execution of the binary is probably being blocked by SELinux. You can confirm that from the journal logs or perhaps from the audit logs (in /var/log/audit/audit.log
) searching for "avc" errors.
To solve this problem, I'd recommend you host this script from a directory where scripts and binaries are typically located, such as /usr/local/bin
, instead of under the home directory of the root user.
Once you move this script there, run restorecon
on it to get it to the proper SELinux type (which should be system_u:object_r:bin_t:s0
or similar.)
So:
mv /root/module-signing/sign-vbox-modules.sh /usr/local/bin/
restorecon /usr/local/bin/sign-vbox-modules.sh
And edit your systemd service file to update the path.
And if you want to inspect that it has an appropriate SELinux type:
ls -lZ /usr/local/bin/sign-vbox-modules.sh
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Execution of the binary is probably being blocked by SELinux. You can confirm that from the journal logs or perhaps from the audit logs (in /var/log/audit/audit.log
) searching for "avc" errors.
To solve this problem, I'd recommend you host this script from a directory where scripts and binaries are typically located, such as /usr/local/bin
, instead of under the home directory of the root user.
Once you move this script there, run restorecon
on it to get it to the proper SELinux type (which should be system_u:object_r:bin_t:s0
or similar.)
So:
mv /root/module-signing/sign-vbox-modules.sh /usr/local/bin/
restorecon /usr/local/bin/sign-vbox-modules.sh
And edit your systemd service file to update the path.
And if you want to inspect that it has an appropriate SELinux type:
ls -lZ /usr/local/bin/sign-vbox-modules.sh
Execution of the binary is probably being blocked by SELinux. You can confirm that from the journal logs or perhaps from the audit logs (in /var/log/audit/audit.log
) searching for "avc" errors.
To solve this problem, I'd recommend you host this script from a directory where scripts and binaries are typically located, such as /usr/local/bin
, instead of under the home directory of the root user.
Once you move this script there, run restorecon
on it to get it to the proper SELinux type (which should be system_u:object_r:bin_t:s0
or similar.)
So:
mv /root/module-signing/sign-vbox-modules.sh /usr/local/bin/
restorecon /usr/local/bin/sign-vbox-modules.sh
And edit your systemd service file to update the path.
And if you want to inspect that it has an appropriate SELinux type:
ls -lZ /usr/local/bin/sign-vbox-modules.sh
answered Aug 8 at 2:02
Filipe Brandenburger
3,734622
3,734622
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f461103%2fsystemd-fails-to-start-service-as-root%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
When you realize why this duplicates unix.stackexchange.com/questions/208736 , you will know what to do. (-:
â JdeBP
Aug 7 at 16:10
@JdeBP How do I determine the correct SELinux context to assign to the files? The answer to the question to which you linked doesn't really answer the question beyond "SELinux contexts exist, get yours right"
â zaen
Aug 7 at 19:03