-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.9.0, rhel-9.3.0
-
None
-
None
-
Moderate
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
- the unit files comment describes how to create a unit file drop-in configuration rather than uncommenting a line inside the file
-
None
-
None
-
-
All
-
None
What were you trying to do that didn't work?
When users/groups are stored in a NSS remote backend, the admin needs to delay startup of fapolicyd until NSS user lookup is available.
The unit file provides a wrong procedure:
[Service]
...
# Uncomment the following line if rules need user/group name lookup
#After=nss-user-lookup.target
...
Following the procedure leads to 2 issues:
- an error message pops up when starting the unit
[...] systemd[1]: /usr/lib/systemd/system/fapolicyd.service:15: Unknown lvalue 'After' in section 'Service'
This is because After belongs to [Unit] section, not [Service] section.
- changing /usr/lib/systemd/system/fapolicyd.service directly should be avoided because changes will be lost on package update
The proper way to enable the dependency is to create a drop-in instead, the unit file content should hence be fixed accordingly, something lile this below:
[Unit] Description=File Access Policy Daemon DefaultDependencies=no After=local-fs.target systemd-tmpfiles-setup.service Documentation=man:fapolicyd(8) ## Create a drop-in if rules need user/group name lookup # mkdir -p /etc/systemd/system/fapolicyd.service.d # echo -e "[Unit]\nAfter=nss-user-lookup.target" > /etc/systemd/system/fapolicyd.service.d/nss-user-lookup.conf # systemctl daemon-reload [Service] OOMScoreAdjust=-1000 [...]
Please provide the package NVR for which bug is seen:
All releases
How reproducible:
Always
- links to
