Actions
Bug #12673
closed
SElinux error when installing Rudder 4.1.12/4.2.6 on centos 7
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:
Description
while installing Rudder 4.2.6 on centos 7, I got the following error message
centos7_server: INFO: Setting Apache HTTPd as a boot service...Note: Forwarding request to 'systemctl enable httpd.service'.
centos7_server: Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
centos7_server: Done
centos7_server: INFO: Stopping Apache HTTPd... Done
centos7_server: INFO: No usable SSL certificate detected for Rudder HTTP/S support, generating one automatically... Done
centos7_server: INFO: Starting Apache HTTPd... Done
centos7_server: libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
centos7_server: rudder-relay: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
centos7_server: rudder-relay: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
centos7_server: rudder-relay: Failed to read policy package
centos7_server: libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
centos7_server: (No such file or directory).
centos7_server: semodule: Failed!
centos7_server: INFO: rudder-server-relay setup complete.
...
centos7_server: INFO: Applying ncf-api-virtualenv selinux policy...libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
centos7_server: ncf-api-virtualenv: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
centos7_server: ncf-api-virtualenv: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
centos7_server: ncf-api-virtualenv: Failed to read policy package
centos7_server: libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
centos7_server: (No such file or directory).
centos7_server: semodule: Failed!
centos7_server: Done
???
centos7_server: INFO: Adding ncf-api-venv to the rudder group... Done
centos7_server: libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
centos7_server: rudder-webapp: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
centos7_server: rudder-webapp: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
centos7_server: rudder-webapp: Failed to read policy package
centos7_server: libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
centos7_server: (No such file or directory).
centos7_server: semodule: Failed!
Updated by Nicolas CHARLES over 6 years ago
list of installed/updated packages is:
centos7_server: ================================================================================
centos7_server: Package Arch Version Repository
centos7_server: Size
centos7_server: ================================================================================
centos7_server: Installing:
centos7_server: rudder-server-root noarch 1398866025:4.2.6.release-1.EL.7 Rudder 4.9 k
centos7_server: Installing for dependencies:
centos7_server: apr x86_64 1.4.8-3.el7_4.1 base 103 k
centos7_server: apr-util x86_64 1.5.2-6.el7 base 92 k
centos7_server: copy-jdk-configs noarch 3.3-10.el7_5 updates 21 k
centos7_server: httpd x86_64 2.4.6-80.el7.centos base 2.7 M
centos7_server: httpd-tools x86_64 2.4.6-80.el7.centos base 89 k
centos7_server: java-1.8.0-openjdk-headless
centos7_server: x86_64 1:1.8.0.171-7.b10.el7 updates 32 M
centos7_server: javapackages-tools noarch 3.4.1-11.el7 base 73 k
centos7_server: libjpeg-turbo x86_64 1.2.90-5.el7 base 134 k
centos7_server: libtool-ltdl x86_64 2.4.2-22.el7_3 base 49 k
centos7_server: libxslt x86_64 1.1.28-5.el7 base 242 k
centos7_server: lksctp-tools x86_64 1.0.17-2.el7 base 88 k
centos7_server: mailcap noarch 2.1.41-2.el7 base 31 k
centos7_server: mod_ssl x86_64 1:2.4.6-80.el7.centos base 111 k
centos7_server: mod_wsgi x86_64 3.4-12.el7_0 base 76 k
centos7_server: ncf noarch 1398866025:4.2.6.release-1.EL.7 Rudder 1.4 M
centos7_server: ncf-api-virtualenv noarch 1398866025:4.2.6.release-1.EL.7 Rudder 3.8 M
centos7_server: openldap-clients x86_64 2.4.44-15.el7_5 updates 190 k
centos7_server: postgresql x86_64 9.2.23-3.el7_4 base 3.0 M
centos7_server: postgresql-libs x86_64 9.2.23-3.el7_4 base 234 k
centos7_server: postgresql-server x86_64 9.2.23-3.el7_4 base 3.8 M
centos7_server: python-javapackages noarch 3.4.1-11.el7 base 31 k
centos7_server: python-lxml x86_64 3.2.1-4.el7 base 758 k
centos7_server: rsyslog-pgsql x86_64 8.24.0-16.el7_5.4 updates 34 k
centos7_server: rudder-agent x86_64 1398866025:4.2.6.release-1.EL.7 Rudder 23 M
centos7_server: rudder-inventory-endpoint noarch 1398866025:4.2.6.release-1.EL.7 Rudder 38 M
centos7_server: rudder-inventory-ldap x86_64 1398866025:4.2.6.release-1.EL.7 Rudder 5.7 M
centos7_server: rudder-jetty noarch 1398866025:4.2.6.release-1.EL.7 Rudder 5.4 M
centos7_server: rudder-reports noarch 1398866025:4.2.6.release-1.EL.7 Rudder 12 k
centos7_server: rudder-server-relay x86_64 1398866025:4.2.6.release-1.EL.7 Rudder 4.2 M
centos7_server: rudder-techniques noarch 1398866025:4.2.6.release-1.EL.7 Rudder 18 M
centos7_server: rudder-webapp noarch 1398866025:4.2.6.release-1.EL.7 Rudder 93 M
centos7_server: tzdata-java noarch 2018e-3.el7 updates 185 k
centos7_server: Updating for dependencies:
centos7_server: nspr x86_64 4.19.0-1.el7_5 updates 127 k
centos7_server: nss x86_64 3.36.0-5.el7_5 updates 835 k
centos7_server: nss-softokn x86_64 3.36.0-5.el7_5 updates 315 k
centos7_server: nss-softokn-freebl x86_64 3.36.0-5.el7_5 updates 222 k
centos7_server: nss-sysinit x86_64 3.36.0-5.el7_5 updates 62 k
centos7_server: nss-tools x86_64 3.36.0-5.el7_5 updates 514 k
centos7_server: nss-util x86_64 3.36.0-1.el7_5 updates 78 k
centos7_server: openldap x86_64 2.4.44-15.el7_5 updates 355 k
centos7_server: rsyslog x86_64 8.24.0-16.el7_5.4 updates 607 k
centos7_server:
Updated by Nicolas CHARLES over 6 years ago
Apaches logs contains:
[Tue May 22 08:04:23.021489 2018] [core:notice] [pid 16279] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Tue May 22 08:04:23.022430 2018] [suexec:notice] [pid 16279] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 22 08:04:23.023317 2018] [ssl:warn] [pid 16279] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Tue May 22 08:04:23.039353 2018] [auth_digest:notice] [pid 16279] AH01757: generating secret for digest authentication ... [Tue May 22 08:04:23.040131 2018] [lbmethod_heartbeat:notice] [pid 16279] AH02282: No slotmem from mod_heartmonitor [Tue May 22 08:04:23.040910 2018] [ssl:warn] [pid 16279] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Tue May 22 08:04:23.043707 2018] [mpm_prefork:notice] [pid 16279] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Tue May 22 08:04:23.043732 2018] [core:notice] [pid 16279] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Tue May 22 08:04:53.299274 2018] [mpm_prefork:notice] [pid 16279] AH00170: caught SIGWINCH, shutting down gracefully AH00015: Unable to open logs (13)Permission denied: AH00091: httpd: could not open error log file /var/log/rudder/apache2/error.log. <pre> <pre> # ls -al /var/log/rudder/apache2 total 4 drwxr-xr-x. 2 root root 41 22 mai 08:04 . drwxr-xr-x. 11 root root 152 22 mai 08:05 .. -rw-r--r--. 1 root root 0 22 mai 08:04 access.log -rw-r--r--. 1 root root 286 22 mai 08:04 error.log </pre>
Updated by Nicolas CHARLES over 6 years ago
trying to start httpd service results in these lines added to /var/log/secure
May 22 08:38:43 server polkitd[660]: Registered Authentication Agent for unix-process:4434:219844 (system bus name :1.104 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) May 22 08:38:43 server polkitd[660]: Unregistered Authentication Agent for unix-process:4434:219844 (system bus name :1.104, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8) (disconnected from bus)
Updated by Nicolas CHARLES over 6 years ago
Upgrading selinux and reinstalling Rudder solves the issue
Upgrade is libsepol.x86_64 0:2.5-6.el7 => libsepol.x86_64 0:2.5-8.1.el7 and selinux-policy-targeted-3.13.1-166.el7_4.7.noarch => selinux-policy.noarch 0:3.13.1-192.el7_5.3
yum install libselinux selinux-policy Modules complémentaires chargés : fastestmirror Loading mirror speeds from cached hostfile * base: centos.quelquesmots.fr * extras: centos.quelquesmots.fr * updates: centos.mirror.fr.planethoster.net Résolution des dépendances --> Lancement de la transaction de test ---> Le paquet libselinux.x86_64 0:2.5-11.el7 sera mis à jour --> Traitement de la dépendance : libselinux(x86-64) = 2.5-11.el7 pour le paquet : libselinux-utils-2.5-11.el7.x86_64 --> Traitement de la dépendance : libselinux(x86-64) = 2.5-11.el7 pour le paquet : libselinux-python-2.5-11.el7.x86_64 ---> Le paquet libselinux.x86_64 0:2.5-12.el7 sera utilisé ---> Le paquet selinux-policy.noarch 0:3.13.1-166.el7_4.7 sera mis à jour --> Traitement de la dépendance : selinux-policy = 3.13.1-166.el7_4.7 pour le paquet : selinux-policy-targeted-3.13.1-166.el7_4.7.noarch --> Traitement de la dépendance : selinux-policy = 3.13.1-166.el7_4.7 pour le paquet : selinux-policy-targeted-3.13.1-166.el7_4.7.noarch ---> Le paquet selinux-policy.noarch 0:3.13.1-192.el7_5.3 sera utilisé --> Traitement de la dépendance : policycoreutils >= 2.5-18 pour le paquet : selinux-policy-3.13.1-192.el7_5.3.noarch --> Lancement de la transaction de test ---> Le paquet libselinux-python.x86_64 0:2.5-11.el7 sera mis à jour ---> Le paquet libselinux-python.x86_64 0:2.5-12.el7 sera utilisé ---> Le paquet libselinux-utils.x86_64 0:2.5-11.el7 sera mis à jour ---> Le paquet libselinux-utils.x86_64 0:2.5-12.el7 sera utilisé ---> Le paquet policycoreutils.x86_64 0:2.5-17.1.el7 sera mis à jour ---> Le paquet policycoreutils.x86_64 0:2.5-22.el7 sera utilisé --> Traitement de la dépendance : libsepol >= 2.5-8 pour le paquet : policycoreutils-2.5-22.el7.x86_64 ---> Le paquet selinux-policy-targeted.noarch 0:3.13.1-166.el7_4.7 sera mis à jour ---> Le paquet selinux-policy-targeted.noarch 0:3.13.1-192.el7_5.3 sera utilisé --> Lancement de la transaction de test ---> Le paquet libsepol.x86_64 0:2.5-6.el7 sera mis à jour ---> Le paquet libsepol.x86_64 0:2.5-8.1.el7 sera utilisé --> Résolution des dépendances terminée Dépendances résolues ============================================================================================================================================================================================================================================== Package Architecture Version Dépôt Taille ============================================================================================================================================================================================================================================== Mise à jour : libselinux x86_64 2.5-12.el7 base 162 k selinux-policy noarch 3.13.1-192.el7_5.3 updates 453 k Mise à jour pour dépendances : libselinux-python x86_64 2.5-12.el7 base 235 k libselinux-utils x86_64 2.5-12.el7 base 151 k libsepol x86_64 2.5-8.1.el7 base 297 k policycoreutils x86_64 2.5-22.el7 base 867 k selinux-policy-targeted noarch 3.13.1-192.el7_5.3 updates 6.6 M
Updated by François ARMAND over 6 years ago
- Subject changed from SElinux error when installing Rudder 4.2.6 on centos 7 to SElinux error when installing Rudder 4.1.12/4.2.6 on centos 7
I have the same problem on Centos7 / 4.1.12, so it's a problem with our build:
centos7lite_server: INFO: Applying ncf-api-virtualenv selinux policy...libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
centos7lite_server: ncf-api-virtualenv: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
centos7lite_server: ncf-api-virtualenv: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
centos7lite_server: ncf-api-virtualenv: Failed to read policy package
centos7lite_server: libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
centos7lite_server: (No such file or directory).
centos7lite_server: semodule: Failed!
Updated by François ARMAND over 6 years ago
I have a no so recent centos7 box:
==> centos7lite_server: A newer version of the box 'geerlingguy/centos7' for provider 'virtualbox' is ==> centos7lite_server: available! You currently have version '1.2.5'. The latest is version ==> centos7lite_server: '1.2.8'. Run `vagrant box update` to update.
Updated by François ARMAND over 6 years ago
After updating the box, error is gone.
Updated by François ARMAND over 6 years ago
- Status changed from New to Rejected
It was a problem in the builder. We used a CentOS 7.4 or higher. Reverting to Centos 7.3 make that ok again.
Actions