Bug#1137558: Bug#1137531: ferm: fails to start after migration to systemd

Marc Haber Sun, 24 May 2026 23:59:16 -0700

Control: tags -1 confirmed
thanks

On Sun, May 24, 2026 at 10:29:37PM +0200, Petr Gajdůšek wrote:
> Fix for (2): add /run to ReadWritePaths.
> 
> Secondary: the unit drops CAP_SYS_MODULE, so ferm can no longer modprobe
> netfilter modules itself ("modprobe: ... ip6_tables: Operation not
> permitted"). It should ship a modules-load.d snippet for the core modules.


diff --git a/debian/ferm.service b/debian/ferm.service
index cf21a73..0c360b8 100644
--- a/debian/ferm.service
+++ b/debian/ferm.service
@@ -29,12 +29,12 @@ UMask=0077
 PrivateTmp=yes
 ProtectSystem=strict
 ProtectHome=yes
-ReadWritePaths=/var/cache/ferm
+ReadWritePaths=/var/cache/ferm /run
 NoNewPrivileges=no

 # Required capabilities for firewall management
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE

 [Install]
 WantedBy=multi-user.target

Would that be a good fix?

Greetings
Marc

Bug#1137558: Bug#1137531: ferm: fails to start after migration to systemd

Reply via email to