Debugging “Failed at step EXEC spawning: Permission denied” in systemd Services with SELinux Context Analysis


1 views

When your meticulously configured systemd service fails with "Permission denied" despite having 777 permissions and root ownership, it's time to look beyond traditional Unix permissions. The audit logs reveal the real culprit:

type=AVC msg=audit(1551898814.098:1342): avc: denied { execute } 
for pid=11002 comm="(xteve)" name="xteve" dev="dm-0" ino=30958 
scontext=system_u:system_r:init_t:s0 
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0

The key insight comes from the SELinux context mismatch between:

  • Source context (scontext): system_u:system_r:init_t (systemd's context)
  • Target context (tcontext): unconfined_u:object_r:admin_home_t (your binary's context)

Method 1: Restore Default Context

restorecon -v /root/IPTV/xteve
semanage fcontext -a -t bin_t "/root/IPTV(/.*)?"
restorecon -R -v /root/IPTV

Method 2: Create Custom Policy Module

grep xteve /var/log/audit/audit.log | audit2allow -M xteve_policy
semodule -i xteve_policy.pp

Method 3: Temporary Testing (Not Recommended for Production)

setenforce 0
# Test your service
# Remember to re-enable afterwards:
setenforce 1

If SELinux isn't mandatory for your environment:

  • Move the binary to standard locations like /usr/local/bin which have proper contexts
  • Consider using a dedicated service account instead of root
[Service]
User=xteve_user
Group=xteve_group
ExecStart=/opt/xteve/bin/xteve
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

After applying fixes:

ls -Z /root/IPTV/xteve
systemctl daemon-reload
systemctl start xteve
journalctl -xe -u xteve

Your audit logs clearly show an SELinux denial:

type=AVC msg=audit(1551898814.098:1342): avc: denied { execute } for pid=11002 comm="(xteve)" 
name="xteve" dev="dm-0" ino=30958 scontext=system_u:system_r:init_t:s0 
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0

This indicates SELinux is preventing systemd (running in init_t context) from executing a binary labeled with admin_home_t.

Check the current SELinux context of your binary:

ls -Z /root/IPTV/xteve

You'll likely see output like:

-rwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 /root/IPTV/xteve

The proper solution is to relabel the binary with the correct context:

semanage fcontext -a -t bin_t "/root/IPTV/xteve"
restorecon -v /root/IPTV/xteve

For more controlled environments:

grep xteve /var/log/audit/audit.log | audit2allow -M xteve_policy
semodule -i xteve_policy.pp

For testing purposes only:

setenforce 0

To make this permanent (highly discouraged for production):

sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config

Even after fixing SELinux, your service file needs adjustments:

[Unit]
Description=XTeVe IPTV Proxy
After=network-online.target
Requires=network-online.target

[Service]
ExecStart=/opt/xteve/xteve
WorkingDirectory=/opt/xteve
User=xteve
Group=xteve
Restart=on-failure
RestartSec=5
Environment="HOME=/opt/xteve"

[Install]
WantedBy=multi-user.target

Instead of using /root, follow Linux FHS standards:

mkdir -p /opt/xteve
chown xteve:xteve /opt/xteve
mv /root/IPTV/xteve /opt/xteve/

After implementing changes:

systemctl daemon-reload
systemctl start xteve
journalctl -u xteve -b --no-pager -n 50