SELinux Blocking Systemd from Launching Node.JS Service

## Summary An application built in Node.JS failed to start on a system running REHL 9.5 after updates. Systemd did not provide any useful feedback as to the errors being experienced requiring a deeper investigation into the issue. It was discovered the SELinux was blocking the launch of the node process under systemd. The issue appears to be the enabling of a policy restricting binaries accessible to the `ExecStart` parameter in the systemd service file.[^1] After adding an SELinux flag to the node binary directory, we were able to successfully launch the service. ## Research > [!info] > Some of the information contained has been sanitized of potentially sensitive data. ### Node.JS Service When attempting to launch the Node.JS application after weekend updates, an issue was observed where the application failed to launch. No error messages were being given when using `systemctl status servicename` or `journalctl -xeu servicename`. Upon copying the execution cmd inside the service and running it manually, the application started. It was observed that the application could be run with the commands given, but, could not be run as a service. After additional investigation it was discovered that SELinux was to blame. The following message was found in the `messages.log` located in `/var/log`: ``` Nov 19 15:39:16 myserver setroubleshoot[306402]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file node. For complete SELinux messages run: sealert -l be7f3407-2050-446d-8dbb-3a7e4a4212fd Nov 19 15:39:16 myserver setroubleshoot[306402]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file node.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that systemd should be allowed execute access on the node file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(node)' --raw | audit2allow -M my-node#012# semodule -X 300 -i my-node.pp#012 ``` > [!faq] Why didn't you use the command provided in the logs? > The commands recommended by SELinux to allow the execution did not work to allow the service to be started. ## Solution Upon running the following command service was allowed to start. ```sh chcon -R -t bin_t /home/serviceuser/.nvm/versions/node/v20.16.0/bin/ ``` # References [^1]: [ServerFault - Stack Exchange](https://serverfault.com/questions/1032597/selinux-is-preventing-from-execute-access-on-the-file-centos) *serverfault.com* Retrieved November 22, 2024