Bug 1278027 - Service fails to start because it's run as root
Service fails to start because it's run as root
Product: Fedora
Classification: Fedora
Component: vnstat (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Adrian Reber
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-11-04 10:15 EST by Matthias Saou
Modified: 2016-05-31 11:47 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-05-31 11:47:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matthias Saou 2015-11-04 10:15:36 EST
I rebuilt the latest 1.14-2 on RHEL7, and the service fails to start with SELinux denial errors. While looking for possible causes, I came across #711995 which explains that the problem is because it's being run as root, and running as the vnstat user should work. And it does.

This fixes it for me :
 ExecStart=/usr/sbin/vnstatd -n
 ExecReload=/bin/kill -HUP $MAINPID

I see this in the current spec file :
%{__install} -p -m 644 examples/systemd/vnstat.service $RPM_BUILD_ROOT%{_unitdir}/

In the 1.11-21 package (current epel7 branch), the service file was Source1 and contained the proper user (it didn't have the reload, though) :

ExecStart=/usr/sbin/vnstatd -d

So I think the service file should either get patched or switched back to an external source file, in order to set the 'User=vnstat' back, as it's required for the service to work at all with SELinux enforcing (and root privileges aren't required).
Comment 1 Matthias Saou 2015-11-04 10:33:30 EST
Note that I was just reading through the /etc/vnstat.conf file and saw this which could be relevant too :

# switch to given user when started as root (leave empty to disable)
DaemonUser ""

# switch to given user when started as root (leave empty to disable)
DaemonGroup ""

...though since the file is %config(noreplace), the service would fail to restart for anyone upgrading with a modified vnstat.conf file. Easier to just fix the systemd service file :-)
Comment 2 Adrian Reber 2015-12-01 02:02:33 EST
Thanks for the bug report. Do you think this a change which should also be pushed to F23? I am not sure this should be pushed to F23. Although I wonder why no other bug report has been opened yet...
Comment 4 Jan Kurik 2016-02-24 08:54:30 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
Comment 5 Adrian Reber 2016-05-31 11:47:16 EDT
Ah, this is actually fixed in EPEL7 and Fedora 24 and greater since some time.

Note You need to log in before you can comment on or make changes to this bug.