1

Environment: Centos 8, Digital Ocean Droplet

I've recently found 2 strange, seemingly unconnected errors in my OS.

SELinux setting httpd_can_network_relay to on throws error, “could not convert system_u:object_r:systemd_sleep_exec_t:s0 to sid”. How is this fixed?

Michael Hampton suggested this may be the result of a corrupt SELinux policy. I followed his instructions and reinstalled selinux but the error persisted.

Tonight I got a warning that my servers SSL certificate was not renewing even though it was set up to automatically renew with snap.

I checked and certbot.renew was disabled and inactive.

$ snap services
Service        Startup   Current   Notes
certbot.renew  disabled  inactive  -

When I attempted to force renewal with a refresh I got this error.

$ snap refresh
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:
       /tmp/sanity-mountpoint-019949784: wrong fs type, bad option, bad superblock on /dev/loop0,
       missing codepage or helper program, or other error.

Then I tested cerbot without snap and got an error.

$ sudo certbot renew --dry-run
internal error, please report: running "certbot" failed: cannot find installed snap "certbot" at revision 952: missing file /var/lib/snapd/snap/certbot/952/meta/snap.yaml

Question: Am I right to suspect that my OS may be corrupt? If so is there a tool or method I can use to restore Centos back to its original, healthy state?

myNewAccount
  • 569
  • 1
  • 6
  • 19
  • 2
    You can restore from backup. BTW, use of snap is very unusual, especially for something like certbot that's included with CentOS or EPEL. You may just want to start over with a new droplet, and try to avoid any strangeness in the future. – Michael Hampton Feb 22 '21 at 02:45
  • @MichaelHampton Thanks Mike. I have Jr. experience with Linux so I don't know much about snap. However Certbot / Lets Encrypt now uses snap as it's official renewal mechanism on Centos 8. https://certbot.eff.org/lets-encrypt/centosrhel8-nginx.html – myNewAccount Feb 22 '21 at 02:49
  • 2
    Ahh, I can see why they recommend the snap, but not necessarily for CentOS. Certain distributions don't keep certbot up to date as they should (specifically Debian/Ubuntu) and on those distros you absolutely need to use the snap. This isn't really an issue on CentOS where the packages are kept up to date. You could try to use the snap, but snap is largely yet another technologically questionable Canonical thing and most everyone else in the world ignores it. – Michael Hampton Feb 22 '21 at 04:05
  • You also can install `cerbot` using `pip`: https://certbot.eff.org/lets-encrypt/pip-apache – Paul Jul 10 '21 at 18:35

1 Answers1

0

To fix this error, Follow the below steps:

  1. Run this command:

    $ sestatus

    SELinux status: enabled
    SELinuxfs mount: /sys/fs/selinux
    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: enforcing
    Mode from config file: enforcing
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Memory protection checking: actual (secure)
    Max kernel policy version: 31

  2. If the output looks like the one above, run this command:

    $ sudo semodule -i /usr/share/selinux/packages/snappy.pp.bz2

  3. and restart your system:

    $ sudo reboot

Source:https://tecrobust.com/how-to-fix-error-system-does-not-fully-support-snapd-fedora-31/

Nimpo
  • 101