Hello List, with one of the recent updates, CFEngine starts getting EROFS whenever it tries to write a file. Since writing works just fine from a shell, I assume this is the result of some security measure that isn't properly configured. Does anyone have an idea where to look? Thanks, A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
Ansgar Esztermann-Kirchner wrote:
Hello List,
with one of the recent updates, CFEngine starts getting EROFS whenever it tries to write a file. Since writing works just fine from a shell, I assume this is the result of some security measure that isn't properly configured. Does anyone have an idea where to look?
apparmor ? -- Per Jessen, Zürich (18.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.
On Thu, Sep 16, 2021 at 09:04:23AM +0200, Per Jessen wrote:
properly configured. Does anyone have an idea where to look?
apparmor ?
I don't know much about AppArmor, but I have always assumed that after an aa-teardown, it should be effectively disabled. If that is correct, then there must be another reason. A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
On Thu, Sep 16, 2021 at 09:04:23AM +0200, Per Jessen wrote:
Ansgar Esztermann-Kirchner wrote:
apparmor ?
It wasn't, after all. The culprit turned out to be the recent systemd hardening effort (BNC 1181400). ProtectSystem=full just doesn't make sense for a config management system. Getting software from obs has disadvantages, too... A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
participants (2)
-
Ansgar Esztermann-Kirchner -
Per Jessen