=====(DESCRIPTION OF PROBLEM)===== the vnstat service won't run unless selinux is disabled =====(VERSION NUMBERS)===== centos linux 8.2.2004 vnstat-2.6-2.el8 =====(HOW REPRODUCIBLE)===== always =====(STEPS TO REPRODUCE)===== download and install CentOS-8.2.2004-x86_64-dvd1.iso reboot dnf upgrade reboot dnf install epel-release dnf install vnstat systemctl enable vnstat systemctl start vnstat =====(EXPECTED RESULTS)===== "systemctl status vnstat" would return: active (running) =====(ACTUAL RESULTS)===== "systemctl status vnstat" returns: (code=exited, status=238/STATE_DIRECTORY) =====(ADDITIONAL INFO)===== disabling selinux temporarily with "setenforce 0" allows vnstat to start and functional normally errors like these are logged: Failed to set up special execution directory in /var/lib: Permission denied Failed at step STATE_DIRECTORY spawning /usr/sbin/vnstatd: Permission denied Error: Failed to open database "/var/lib/vnstat/vnstat.db" in read/write mode. "tail /var/log/audit/audit.log | audit2allow" shows: allow init_t vnstatd_var_lib_t:dir setattr; possibly related bug: 1648539 while this is a bug occurring on centos I assume(?) it's also occurring on rhel, and the package is from epel if it turns out this bug is unrelated to rhel feel free to close/ignore
The following SELinux policy module seems to fix the problem. These permissions need to be added to the vnstat module provided by the "selinux-policy-targeted" package. #!bin/bash cat <<-EOF > my-vnstatd.te module my-vnstatd 1.0; require { type vnstatd_var_lib_t; type init_t; class dir { mounton read setattr }; } #============= init_t ============== allow init_t vnstatd_var_lib_t:dir mounton; allow init_t vnstatd_var_lib_t:dir { read setattr }; EOF checkmodule -M -m -o my-vnstatd.mod my-vnstatd.te semodule_package -o my-vnstatd.pp -m my-vnstatd.mod semodule -X 300 -i my-vnstatd.pp
Request for policy fix ... see: https://bugzilla.redhat.com/show_bug.cgi?id=1892365