Skip to content

[Nexthop][run_scripts] Fix systemctl enable failure with SELinux enforcing#1321

Open
zackary-nexthop wants to merge 1 commit into
facebook:mainfrom
nexthop-ai:zackary.nexthop.systemctl-enable-failure
Open

[Nexthop][run_scripts] Fix systemctl enable failure with SELinux enforcing#1321
zackary-nexthop wants to merge 1 commit into
facebook:mainfrom
nexthop-ai:zackary.nexthop.systemctl-enable-failure

Conversation

@zackary-nexthop

Copy link
Copy Markdown

Pre-submission checklist

  • I've ran the linters locally and fixed lint errors related to the files I modified in this PR. You can install the linters by running pip install -r requirements-dev.txt && pre-commit install
  • pre-commit run

Summary

Write qsfp/fsdb OSS service unit files to /run/systemd/system/ instead of /tmp/.

Files in /tmp/ carry the tmp_t SELinux label. On CentOS Stream 9 with SELinux in enforcing mode, systemctl enable /tmp/*.service fails because the policy blocks symlinking from /etc/systemd/system/ to tmp_t targets. The existing enable/disable lifecycle is otherwise correct.

/run/systemd/system/ is the systemd-designated directory for dynamically-generated, non-persistent unit files. Files written there inherit systemd_unit_file_t automatically, so systemctl enable works without any label manipulation. Files are cleaned up on reboot, matching the transient nature of test services.

Changed files:

  • services/qsfp_service_utils.py: _QSFP_SERVICE_UNIT_FILE_PATH /tmp/ -> /run/systemd/system/
  • services/fsdb_service_utils.py: _FSDB_SERVICE_UNIT_FILE_PATH /tmp/ -> /run/systemd/system/

Test plan

  • Verified on a FBOSS platform running CentOS Stream 9 with SELinux enforcing: services start and stop cleanly, systemctl enable/disable succeed, link tests pass.
  • Existing behavior on platforms without SELinux enforcing is unchanged.
…rcing

Signed-off-by: Zackary Ayoun <zackary@nexthop.ai>
@zackary-nexthop zackary-nexthop requested a review from a team as a code owner June 23, 2026 11:11
@meta-cla meta-cla Bot added the CLA Signed label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

1 participant