Bug #14551: Remote run is broken on centos7 because of selinux - Rudder - Issue Tracker

Actions

Copy link

Bug #14551

closed

Remote run is broken on centos7 because of selinux

Added by François ARMAND over 5 years ago. Updated over 4 years ago.

Status:

Rejected

Priority:

N/A

Assignee:

Category:

System integration

Target version:

5.0.18

Pull Request:

Severity:

Major - prevents use of part of Rudder | no simple workaround

UX impact:

User visibility:

Operational - other Techniques | Rudder settings | Plugins

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

This happened on rudder 5.0, but it looks like it's not specific to that version of Rudder.
Maybe linked to #14391 (found in the same use case).

[root@server vagrant]# curl -X POST 'http://localhost/rudder/relay-api/remote-run/nodes' -d "asynchronous=false" -d "keep_output=true" -d "nodes=a81c4150-974f-4155-a9b9-3cd2c38dbf96" 
a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: unable to open audit system: Permission denied
a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: pam_open_session: System error
a81c4150-974f-4155-a9b9-3cd2c38dbf96:sudo: policy plugin failed session initialization

It's SELinux related, because with "setenforce 0", the remote run is correctly started - so perhaps linked to rudder version after all.

journalctl logs are:

server sudo[11520]:   rudder : TTY=unknown ; PWD=/var/rudder ; USER=root ; COMMAND=/opt/rudder/bin/rudder remote run agent1.rudder.local
server sudo[11520]: PAM audit_open() failed: Permission denied
server sudo[11520]: PAM audit_open() failed: Permission denied
server sudo[11520]:   rudder : pam_open_session: System error ; TTY=unknown ; PWD=/var/rudder ; USER=root ; COMMAND=/opt/rudder/bin/rudder remote run agent1.rudder.local
server sudo[11520]: PAM audit_open() failed: Permission denied

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by François ARMAND over 5 years ago

Related to Bug #14391: Only one Node below a Rudder server can be run through remote run API added

Actions

Copy link

Updated by François ARMAND over 5 years ago

Description updated (diff)

Actions

Copy link

Updated by François ARMAND over 5 years ago

Subject changed from Remote run is broken on centos7 to Remote run is broken on centos7 because of selinux

Actions

Copy link

Updated by François ARMAND over 5 years ago

Description updated (diff)
Status changed from New to In progress
Assignee set to François ARMAND

Actions

Copy link

Updated by François ARMAND over 5 years ago

After some more fidling, the problem seems to be with sudo and not with apache.

Actions

Copy link

Updated by Vincent MEMBRÉ over 5 years ago

Target version changed from 4.1.21 to 4.1.22

Actions

Copy link

Updated by François ARMAND over 5 years ago

Status changed from In progress to New
Assignee deleted (~~François ARMAND~~)
Severity set to Major - prevents use of part of Rudder | no simple workaround
User visibility set to Operational - other Techniques | Rudder settings | Plugins
Priority changed from 0 to 51

I'm setting to major because it's really not easy to understand that the problem is with SELinux and that a "setenforce 0" can workaround it - even if it's not a real solution.

Someone with selinux knowledge should look at it - I didn't understand what is going wrong.

Actions

Copy link