[GH-ISSUE #1239] SELinux prevents tacticalagent from starting after agent upgrade #2709

New issue

Closed

opened 2026-03-14 05:11:29 +03:00 by kerem · 2 comments

kerem commented

2026-03-14 05:11:29 +03:00

Owner

Originally created by @joeldeteves on GitHub (Aug 8, 2022).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1239

Server Info (please complete the following information):

OS: Ubuntu 20.04
Browser: N/A
RMM Version (as shown in top left of web UI): 0.14.5

Installation Method:

Standard
Docker

Agent Info (please complete the following information):

Agent version (as shown in the 'Summary' tab of the agent from web UI): 2.1.1
Agent OS: Rocky Linux 8.5

Describe the bug
Every time the agent is upgraded on an SELinux based distro, the agent fails to start with the following error:

Aug 08 18:27:22 nfs01 systemd[3427494]: tacticalagent.service: Failed to execute command: Permission denied
Aug 08 18:27:22 nfs01 systemd[3427494]: tacticalagent.service: Failed at step EXEC spawning /usr/local/bin/tacticalagent: Permission denied
-- Subject: Process /usr/local/bin/tacticalagent could not be executed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The process /usr/local/bin/tacticalagent could not be executed and failed.
--
-- The error number returned by this process is 13.
Aug 08 18:27:22 nfs01 systemd[1]: tacticalagent.service: Main process exited, code=exited, status=203/EXEC
Aug 08 18:27:22 nfs01 systemd[1]: tacticalagent.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- The unit tacticalagent.service has entered the 'failed' state with result 'exit-code'.

To Reproduce
Steps to reproduce the behavior:

Install agent on an RPM-based distro that uses SELinux
Upgrade the agent to a newer version using the dashboard
Agent fails to start due to permission error

Workaround
The issue happens because if the binary is moved using mv from another directory with different SELinux permissions, it will keep those permissions.

The workaround is to run the following command to repair the permission and start the agent:

restorecon -rv /usr/local/bin/tacticalagent
systemctl start tacticalagent

Expected behavior
The agent should have the correct permissions so it can start after upgrade

Additional context
See https://serverfault.com/questions/957084/failed-at-step-exec-spawning-permission-denied for more info

Originally created by @joeldeteves on GitHub (Aug 8, 2022). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1239 **Server Info (please complete the following information):** - OS: Ubuntu 20.04 - Browser: N/A - RMM Version (as shown in top left of web UI): 0.14.5 **Installation Method:** - [ ] Standard - [X] Docker **Agent Info (please complete the following information):** - Agent version (as shown in the 'Summary' tab of the agent from web UI): 2.1.1 - Agent OS: Rocky Linux 8.5 **Describe the bug** Every time the agent is upgraded on an SELinux based distro, the agent fails to start with the following error: ``` Aug 08 18:27:22 nfs01 systemd[3427494]: tacticalagent.service: Failed to execute command: Permission denied Aug 08 18:27:22 nfs01 systemd[3427494]: tacticalagent.service: Failed at step EXEC spawning /usr/local/bin/tacticalagent: Permission denied -- Subject: Process /usr/local/bin/tacticalagent could not be executed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- The process /usr/local/bin/tacticalagent could not be executed and failed. -- -- The error number returned by this process is 13. Aug 08 18:27:22 nfs01 systemd[1]: tacticalagent.service: Main process exited, code=exited, status=203/EXEC Aug 08 18:27:22 nfs01 systemd[1]: tacticalagent.service: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- The unit tacticalagent.service has entered the 'failed' state with result 'exit-code'. ``` **To Reproduce** Steps to reproduce the behavior: 1. Install agent on an RPM-based distro that uses SELinux 2. Upgrade the agent to a newer version using the dashboard 3. Agent fails to start due to permission error **Workaround** The issue happens because if the binary is moved using `mv` from another directory with different SELinux permissions, it will keep those permissions. The workaround is to run the following command to repair the permission and start the agent: ``` restorecon -rv /usr/local/bin/tacticalagent systemctl start tacticalagent ``` **Expected behavior** The agent should have the correct permissions so it can start after upgrade **Additional context** See https://serverfault.com/questions/957084/failed-at-step-exec-spawning-permission-denied for more info

kerem closed this issue

2026-03-14 05:11:34 +03:00

kerem commented

2026-03-14 05:11:40 +03:00

Author

Owner

@wh1te909 commented on GitHub (Aug 8, 2022):

Fix will be in next release but since I had to change code in the agent update function, you will need to manually update the agent to the next version to get it to a working state.

@wh1te909 commented on GitHub (Aug 8, 2022): Fix will be in next release but since I had to change code in the agent update function, you will need to manually update the agent to the next version to get it to a working state.

kerem commented

2026-03-14 05:11:45 +03:00

Author

Owner

@joeldeteves commented on GitHub (Aug 8, 2022):

Thanks for the quick fix!

@joeldeteves commented on GitHub (Aug 8, 2022): Thanks for the quick fix!